How to recognize phishing

Recognizing phishing mails made easy

  • Don't trust the sender shown! You may only see the display name, not the email address itself. And even an @uni-koblenz.de address does not necessarily have to be trustworthy.
  • Do not click a link in an email whose authenticity you are not 100% sure of.
  • Check whether the displayed link and the link's destination match: Hover your mouse over the link and wait a moment ("mouseover"). Both the readable link and the now visible target should be identical and point to a "plausible" link target. Check mouseover with your browser using this faked link: https://uni-koblenz.de/infos Can you see (without clicking on it), that this link actually would not take you to "uni-koblenz.de" ?
  • Under no circumstances should you download file types that are known to frequently contain viruses, including .doc, .xls, .ppt and also .zip files.
  • Before you enter your university password on a page, check the so-called "who section" of the web address: The "who section" consists of the two terms that are separated by a period and precede the first single slash "/" condition. Please only enter your university password on pages where the "who section" ends at "uni-koblenz.de/" or "uni-ko.de/".
  • Search ZIMT's collection of confirmed phishing attempts for the sender and/or subject of the email in question.

What is Phishing all about?

Wikipedia offers a very good and detailed explanation. You can find an infographic somewhat better illustrated at http://www.betrugstest.com/phishing/. In short, phishing is the attempt to use fake emails to obtain passwords that can be misused for various purposes. Within the university, the most damage is caused by phishing, are phished passwords used to send spam or other phishing emails via the university mail server. This cannot be prevented automatically, but it may result in our mail server being recognized as "spamming" and no longer being able to deliver emails worldwide. A small amount of careless users can result in around 10,000 users no longer being able to send emails - very annoying.

How can I recognize a phishing mail?

As a general rule, a phishing email initially attempts to create uncertainty or panic in the recipient. Topics are used that affect many people around the world: "Your account has been cracked", "Your mail quota is exhausted" etc. It then points out that you need to act quickly and refers you to a website where you should - providing your user data - be able to solve the problem. You can find a very helpful video with hints to detect phishing at Bundesamt für Sicherheit in der Informationstechnik (BSI).

The following information can help you identify whether, for example, if a mail is a real warning email from ZIMT or a phishing email:

  1. In general, the sender of an email is easy to forge. As with good old paper letter, any address can be specified as the sender. It is important here: Always show the sender's email address, not just the display name. Correct settings in thunderbird.

  2. Check whether the content of the email actually fits. For example, if a full mailbox is referenced, first check whether your mailbox is really full. Under no circumstances should you use a link provided in the email.

  3. Look at the return address. We (ZIMT) will never send you an email from an address outside the university. However, because sender addresses are easy to forge (see 1), you cannot be sure that emails with known sender addresses are not phishing.

  4. If the link provided refers to an address outside the university, stay away!

  5. Never simply click on a link provided, even if the address contains “uni-koblenz.de”. Instead, type the address yourself into the address field of your browser. The address displayed and the address actually clicked on are easily falsified!

  6. Pay attention to the language in the subject and email text: very often german translations of phishing emails are automatically generated, resulting in grammatical nonsense. All ZIMT employees speak German to such an extent that we can express ourselves clearly (apart from typos)!

  7. We will never ask you to email us your password!

  8. Attachments that end in .zip - if you do not expect them from this sender - are usually attacks via the Windows archive program zip/unzip. When the archive is unpacked, a Trojan or worm is installed. Never open such attachments!

  9. The general rule for attachments is: Use common sense to check whether the attachment provided is plausible! For example, no company in the world will send you a bill as a Word document (.doc). You would be able to change the bill... that doesn't make sense, you say? Correct! Executable programs (.exe) or JavaScript code (.js) also generally make no sense -- unless you have previously agreed to receive this attachment from the sender.

  10. Many phishing attempts are sent using the sender addresses of the major Internet providers (Paypal, DHL, Deutsche Bahn, Telekom, Amazon ...) and are usually quite well done so that the content appears plausible: Do not click on a link provided in the email, but instead start your browser and manually go to the relevant provider's website. If there is a serious problem, they will certainly point it out to you.

All of these clues are no guarantee, quite anything can be faked and are sometimes exploited very cleverly. But 95% of all phishing scams are easy to recognize based on these clues.

Torpedo-Plugin für Thunderbird

A plugin for thunderbird named TORPEDO could be helpful for detecting fake and dangerous links in mail. For example, it checks for hard-to-recognize “typing errors” and differences between the text of a link and its destination. Very helpful for the detection of dangerous links within emails beforehand!