Phishing Attacks Becoming More Frequent: How University Members Can Protect Themselves

Phishing efforts primarily take place via email. For example, a realistic-sounding mail urges the receiver to click on a link sent by someone the receiver allegedly knows or trusts. This link usually leads to a convincing phishing page and requests your username and password. The data is then gathered and used to take over accounts.

Often, the emails have an attachment—preferably in an Office format such as Word or Excel. Opening these installs malware that is also used to gather login data and can lead to the theft of saved files.

All staff members of Universität Hamburg, from students and teaching staff to administrative employees, are targets. Thus, we all need to be vigilant to minimize such attacks in the long term. Phishing mails are not the only problem: beware of text messages, WhatsApp, etc. and phony phone calls.

In many cases, mails are recognized as spam and marked accordingly in the subject line. Phishing mails, however, are becoming more and more professional, making them hard to detect at first glance.

Often, the mails come from compromised email addresses because the affected accounts often use University-wide circulars (e.g., the Executive University board circular on the current semester), which, in further phishing campaigns, can lend greater credibility. Highly valuable and/or administrative login data may then be accessed. If messages are sent from an already-compromised mail account, they will not be marked as spam in the subject line and they may even refer to earlier correspondence.

At the moment, we are dealing primarily with emails that appear to come from individual memers of University institutions, including for example the Welcome Service and the Executive University Board. The mails contain several fake links to a letter from the president and to the corona FAQs as well as a fake copy of the login page of Outlook Web Access (OWA) from Microsoft Exchange. Do not provide your login details!

Another classic ploy is a notification that the Outlook inbox is full and urging recipients to click on a link to remedy the problem.

The most important thing is to remain vigilant when handling emails, text messages, or phone calls! Almost everyone will have to deal at some point or other with these kinds of attacks. Be especially wary if you are asked to act immediately.

Check the sender address

Therefore, carefully read your emails and check the sender address.

It is helpful when the mail has a digital signature—for example, see the recent information mails from the University Administration and from other University institutions. In Outlook, this is the red seal symbol. If you click on this, you will find more information about the signature and its validity. This allows you to determine if the mail is trustworthy or not.

Tip: Contact the Regional Computing Center to find out about personal certificates enabling your to create digital signatures. You can use this signature for greater security (in German).

Check links

Links should also always be checked. Via “mouseover,” which means skimming your mouse over the link without clicking on the link, you can see where the link leads to. The most important thing here is the first part of the address provided. Even if “uni-hamburg” is part of a long link, always look at the beginning of the link address. “uni-hamburg” must come before the first single slash ( / ).

Correct: https://www.kus.uni-hamburg.de/de.html

Incorrect: hxxps://mialhamidiyyahpancur[.]sch.id/hh/hh/hh/webmail.chemie.uni-hamburg.de.html

Therefore, always look for the first single slash in the address: this will lead you onto the right path!

As a general rule, before typing in your uni username and your password on a web page, check the address line in the internet browser to see if it’s really a University page—for example, to use a University service or mail program.

Investigate further and do not reveal passwords!

If you receive spam or suspicious emails, do not under any circumstance click on attachments or links—simply delete the mail. If you are uncertain, ask the sender via telephone or zoom if they really sent the mail.

Phone calls can also be a means for deception. Here, too, you must be vigilant—never provide access data or passwords via telephone. Nobody, not even the Regional Computing Center, will ask you to provide passwords via telephone.

There may be several clues. For example, if colleagues ask you about spam mails sent from your account. If strange activities at your user account have been registered—for example, an unusually high number of mails sent—it will be blocked administratively. You can then no longer log in with your access data.

The most important thing is to change your password immediately via user administration. This is the only way to change passwords. If personal data is being stolen, the data protection officer and the Legal Unit also need to be involved. If you have questions, contact the Regional Computing Center service line.

And most importantly: don’t be ashamed. The attacks are now frequently highly professional. One wrong click may be all it takes. You are the victim and are in no way at fault.