{
  "version": "2026-04-25",
  "updated": "2026-04-25",
  "curricula": [
    {
      "id": "pattern",
      "title": "1 · Phishing-Pattern erkennen",
      "short": "Sender-Tricks, Domain-Spoofing, Urgency, Authority",
      "icon": "shield",
      "color": "#dc2626",
      "description": "Die klassischen Pattern: gefälschte Absender, ähnliche Domains, künstliche Dringlichkeit, gefakte Autorität. Wie man sie technisch und sozial erkennt.",
      "source_md": "00-pattern.md",
      "modules": [
        {
          "id": "absender-tricks",
          "title": "Absender-Tricks (Spoofing, Display-Name)",
          "objectives": ["From-Header von Reply-To unterscheiden","Display-Name vs. echte Adresse","SPF/DKIM/DMARC-Status lesen"],
          "topics": ["From","Reply-To","Display-Name","SPF","DKIM","DMARC"],
          "difficulty": "mittel",
          "source_heading": "Absender-Tricks"
        },
        {
          "id": "domain-spoofing",
          "title": "Domain-Spoofing & Look-Alikes",
          "objectives": ["Homoglyph-Attacks erkennen (rn vs. m, 0 vs. O)","Subdomain-Spoofing (paypal.security-update.tld)","Punycode (xn--)"],
          "topics": ["Homoglyph","Punycode","Subdomain"],
          "difficulty": "schwer",
          "source_heading": "Domain-Spoofing"
        },
        {
          "id": "urgency-authority",
          "title": "Urgency & Authority — Social Engineering",
          "objectives": ["Urgency-Marker erkennen (heute, sofort, letzte Mahnung)","Authority-Marker (CEO, Anwalt, Behörde)","Cognitive-Bias-Trigger"],
          "topics": ["Urgency","Authority","Reciprocity","Scarcity"],
          "difficulty": "einfach",
          "source_heading": "Social Engineering"
        }
      ]
    },
    {
      "id": "ceo-fraud",
      "title": "2 · CEO-Fraud & Authority-Attacks",
      "short": "Wie der vermeintliche CEO Geld überweisen lässt",
      "icon": "alert",
      "color": "#dc2626",
      "description": "Eine der teuersten Phishing-Varianten: gefälschte Mails vom Geschäftsführer an die Buchhaltung, oft mit Druck und Geheimhaltungs-Bitte.",
      "source_md": "01-ceo-fraud.md",
      "modules": [
        {
          "id": "ceo-grundlagen",
          "title": "CEO-Fraud — wie es läuft",
          "objectives": ["Typischer Ablauf (Recherche → Mail → Druck → Überweisung)","Pre-Texting via LinkedIn","Targeting der Buchhaltung"],
          "topics": ["Recherche","Pre-Texting","LinkedIn-OSINT"],
          "difficulty": "mittel",
          "source_heading": "CEO-Fraud-Ablauf"
        },
        {
          "id": "ceo-erkennung",
          "title": "Erkennungs-Marker",
          "objectives": ["Geheimhaltungs-Bitte als Red-Flag","Domain-Mikroskopie (CEO@firma-de.com vs. .de)","Erste-Mail-Pattern (kein Vor-Mail-Verlauf)"],
          "topics": ["Geheimhaltung","Domain-Check","Vor-Mail-Verlauf"],
          "difficulty": "mittel",
          "source_heading": "Erkennung"
        },
        {
          "id": "ceo-prozess",
          "title": "Prozess-Schutz: 4-Augen + Voice-Callback",
          "objectives": ["Voice-Callback per bekannter Nummer","4-Augen-Prinzip ab Schwellen-Betrag","Abweichungs-Doku & Eskalation"],
          "topics": ["4-Augen","Voice-Callback","Schwellen-Betrag"],
          "difficulty": "schwer",
          "source_heading": "Prozess-Schutz"
        }
      ]
    },
    {
      "id": "bec",
      "title": "3 · Business Email Compromise (BEC)",
      "short": "Wenn der Account selbst übernommen wurde",
      "icon": "alert",
      "color": "#dc2626",
      "description": "BEC = der Angreifer hat Zugriff auf einen echten Account und schreibt FROM diesem Account. Schwerste Variante, da SPF/DKIM grün sind.",
      "source_md": "02-bec.md",
      "modules": [
        {
          "id": "bec-grundlagen",
          "title": "BEC — was es ist, warum so gefährlich",
          "objectives": ["BEC vs. Phishing abgrenzen","Conversation-Hijacking erkennen","Vendor-Email-Compromise (VEC)"],
          "topics": ["BEC","VEC","Conversation-Hijacking"],
          "difficulty": "schwer",
          "source_heading": "BEC-Grundlagen"
        },
        {
          "id": "bec-bankdaten",
          "title": "Bankdaten-Änderungs-Trick",
          "objectives": ["Last-Minute-IBAN-Änderung als Red-Flag","Verifikation via 2. Kanal","Vertragliche Klauseln gegen IBAN-Änderung"],
          "topics": ["IBAN-Änderung","2. Kanal","Vertragsklausel"],
          "difficulty": "mittel",
          "source_heading": "Bankdaten-Trick"
        },
        {
          "id": "bec-mfa",
          "title": "MFA-Bypass & Token-Diebstahl",
          "objectives": ["AiTM-Angriffe (EvilProxy, Modlishka)","Session-Cookie-Diebstahl","Phishing-resistente MFA (FIDO2)"],
          "topics": ["AiTM","Session-Cookie","FIDO2"],
          "difficulty": "schwer",
          "source_heading": "MFA-Bypass"
        }
      ]
    },
    {
      "id": "qr-deepfake",
      "title": "4 · QR-Phishing & Deepfake-Voice",
      "short": "Die neuen Vektoren — Bilder-QR und KI-Stimmen",
      "icon": "eye",
      "color": "#dc2626",
      "description": "Quishing (QR-Phishing in Mails/Postern) und Vishing (Voice-Phishing) inkl. Deepfake-Stimmen — die wachsenden Angriffsflächen 2025/2026.",
      "source_md": "03-qr-deepfake.md",
      "modules": [
        {
          "id": "quishing",
          "title": "Quishing — QR-Phishing",
          "objectives": ["QR-Codes vor Scan auf Ziel-URL prüfen","Mobile-Filter umgehen","Awareness in Konferenzräumen/Büro-Aushängen"],
          "topics": ["QR","Mobile-Filter","Office-Awareness"],
          "difficulty": "mittel",
          "source_heading": "Quishing"
        },
        {
          "id": "voice-vishing",
          "title": "Vishing — Voice-Phishing",
          "objectives": ["Helpdesk-Impersonation","Identifikations-Verfahren am Telefon","Code-Words / Safe-Phrases"],
          "topics": ["Helpdesk","Identifikation","Safe-Phrase"],
          "difficulty": "mittel",
          "source_heading": "Vishing"
        },
        {
          "id": "deepfake",
          "title": "Deepfake-Voice (CEO-Anruf)",
          "objectives": ["Wie KI-Stimm-Klone heute klingen","Verifikations-Frage-Pattern","Eskalations-Workflow bei Verdacht"],
          "topics": ["Voice-Cloning","Verifikations-Frage","Eskalation"],
          "difficulty": "schwer",
          "source_heading": "Deepfake-Voice"
        }
      ]
    },
    {
      "id": "incident-response",
      "title": "5 · Incident-Response (Wenn's passiert ist)",
      "short": "Erste 60 Minuten, NIS2-Meldepflicht, Kommunikation",
      "icon": "search",
      "color": "#dc2626",
      "description": "Wenn jemand geklickt hat: Sofort-Maßnahmen, Forensik-Schutz, NIS2-Meldepflicht, Kommunikation an Betroffene und Behörden.",
      "source_md": "04-incident-response.md",
      "modules": [
        {
          "id": "ersten-60-min",
          "title": "Die ersten 60 Minuten",
          "objectives": ["Account isolieren (nicht löschen)","Passwörter zentral resetten","Audit-Logs sichern"],
          "topics": ["Isolation","Reset","Audit-Logs"],
          "difficulty": "mittel",
          "source_heading": "Erste 60 Min"
        },
        {
          "id": "meldepflichten",
          "title": "Meldepflichten (NIS2 / DSGVO)",
          "objectives": ["NIS2 24h-Frühwarnung, 72h-Meldung, 30-Tage-Bericht","DSGVO 72h Datenpannen-Meldung","Wer ist zuständige Behörde"],
          "topics": ["NIS2","Art. 33 DSGVO","BSI"],
          "difficulty": "schwer",
          "source_heading": "Meldepflichten"
        },
        {
          "id": "kommunikation",
          "title": "Kommunikation an Team & Kund:innen",
          "objectives": ["Holistic Communication-Plan","Was darf öffentlich gesagt werden","Reputations-Schutz vs. Transparenz"],
          "topics": ["Communication-Plan","Public-Statement","Reputation"],
          "difficulty": "mittel",
          "source_heading": "Kommunikation"
        }
      ]
    }
  ]
}