Suspicious emails, whether spam, phishing, or malware, are a frequent issue at RWTH. To help students and staff learn how to respond appropriately, we have summarized the most important steps in a simple, clear manner.

The goal is to identify dangers early on, inform the relevant people, and prevent unnecessary worry. Even small actions, such as forwarding emails as attachments, help improve the spam and phishing filters for everyone.

This guide explains, step by step:

1. How to recognize suspicious emails
2. What to do if you receive a suspicious emails
3. What to do if you clicked on a link or opened an attachment
4. Why this is important

 

Please note

Under no circumstances should you click on a link or open an attachment in a suspicious email.
If you did, your device or account may be compromised. Immediately follow the procedure for compromised devices and accounts.

How to recognize suspicious emails

The following emails are suspicious:

• Spam: unwanted advertising or mass emails. In most cases, the sender is unknown or the email is sent from a fake email address.
• Phishing: Emails sent with the intention of deceiving the recipient, e.g. to steal login credentials. These emails often contain fake links and create a sense of urgency or pressure on the recipient.
• Emails containing malwares: e.g. suspicious attachments or links leading to a malicious software.
• Hoax (Chain emails): Content such as "Share this with 10 people", usually harmless but annoying and manipulative.
• Other warning signs: typos, unexpected file formats in attachments (e.g. .zip, .exe), no official signature, incorrect salutations or addresses, payment requests, links to unsafe websites.

What to do if you receive a suspicious email

The next steps depend on whether our filters have already detected the suspicious email.

Automatically detected spam and virus emails

The IT Center uses automatic filters (IronPort) to detect spam and viruses.

If a spam email is detected, ***** SPAM ***** is added to the subject line.

If a virus is detected, it is removed and  ***** VIRUS REMOVED / ENTFERNT ***** is added to the subject line.

These emails can be deleted. No action is needed on your part.

Some email programs automatically move these emails to the spam folder.

Falsely detected or undetected emails

1. False Positives (emails that were incorrectly identified as spam): Forward the email as an attachment (the email text alone is not sufficient!) to ham@access.ironport.com. The email address will be "unblocked" so that future emails are not detected as spam.
2. Undetected spam or unwanted emails: Forward the email as an attachment to spam@access.ironport.com to improve the filter. You can then delete the email. This will help the filter detect similar emails in the future.
3. Undetected phishing or malware emails: Forward the email as an attachment to servicedesk@itc.rwth-aachen.de and spam@access.ironport.com so that the IT Security Team can take appropriate measures.

What to do if you clicked on a link or open an attachment

If you clicked on a link or opened an attachment, please do the following:

Step 1
Immediately change your passwords. Please use a different, not compromised device.

Step 2
Inform the IT-ServiceDesk. Send the suspicious email as an attachment with a short explanation to servicedesk@itc.rwth-aachen.de.

Step 3
Clean your devices with e.g. Cisco Secure (for work devices) or Malwarebytes (for personal devices). Contact the IT Service Desk if you need assistance.

Why this is important

• High spam volume: Large numbers of spam emails reach the inboxes of students and staff every day. Although the filters are efficient, they are not infallible, which is why conscious monitoring by users is essential.
• Filters only improve with feedback: Forwarding suspicious emails as attachments provides the system with additional information. This allows the filter to "learn" and block future spam and phishing emails more reliably.
• Early reports protects everyone: If a genuine phishing or malware attempt is reported, countermeasures can be taken immediately (e.g., blocking links or compromised accounts). This protects not only you, but also the entire RWTH community, from data theft and malware.

Additional Information

• On spam and phishing:
  • Safety first: Beware of Phishing Mails with RWTH names!
  • Phishing Attack on RWTH-E-Mail Accounts: Data Theft –Not with us!
  • CEO Fraud: When “Superiors” ask for Money
  • Social Engineering – or: How we get tricked
• Explanations and statistics for the spam filter
• Spam folder settings (E-mail clients)
• Procedure for a suspended VPN account