You should under no circumstances click any links or open attachments in a suspicious e-mail.

If you have clicked on a link or opened an attachment, there is a risk that your device or accounts are compromised. Please follow the procedures for compromised accounts and devices immediately.

If you are uncertain whether an email is trustworthy, you should treat it with extra caution.

Reasons for an e-mail to be suspicious can include the following:

• Marking as spam by your e-mail program or in the subject
• Unclear who the sender is
• The email uses a username, generic name or the wrong name to address you
• Unwanted or unexpected e-mails
• Unexpected attachments (especially .zip / .rar / .tar.gz / .7z / .exe / .bat / .com / .cmd / .scr / .pif files)
• Missing e-mail signature for e-mails from official institutions
• Spelling or formatting mistakes
• Inconsistencies
• Requesting a payment (e.g. to buy gift cards, invoices)
  • Messages that try to imitate superiors in this context are known as CEO fraud
  • Fake conferences can ask for registration fees or abstracts
• Links that you are meant to use to log in to an account
• Asking for login credentials, personal information or other sensitive information
• Putting you under pressure (e.g. through deadlines, demands for payment or accusations)
• Swearing you to secrecy or forbidding you from contacting the supposed sender
• The address of the sender or links in the e-mail contain suspicious additions, particularly at the beginning of the address/url
• The linked website is not secure (a warning is displayed next to the address line in the browser). Please do not voluntarily click any links in suspicious e-mails, even just to test them.

The steps that need to be taken when dealing with a suspicious e-mail depend on its type:

• The e-mail is marked as spam
• The e-mail is marked with "*****VIRUS REMOVED / ENTFERNT*****"
• The e-mail is unrecognised spam
• The e-mail is an unrecognised phishing e-mail or contains an undetected virus

The e-mail is marked as spam

All e-mails that reach the RWTH Aachen University are checked for spam.

If such an e-mail is detected, it is marked with the text "***** SPAM *****" at the start of the subject line.

No further steps are required, provided that you do not do anything with the e-mail except deleting it. These e-mails have already been recognised as spam by the system and marked as such.

The e-mail is marked with "*****VIRUS REMOVED / ENTFERNT*****"

All e-mails that reach the RWTH Aachen University are checked for attachments containing malware. The same applies to e-mails which leave the RWTH via the server relay.rwth-aachen.de, relay-auth.rwth-aachen.de or smarthost.rwth-aachen.de.

If suspicious code is detected in an attachment, the attachment is replaced with the following text:

  This attachment contained a virus and was stripped.
     Filename:
     Content-Type:
     Virus(es):

Additionally, the beginning of the subject line has "***** VIRUS REMOVED / ENTFERNT *****" added to it. No further steps are required, provided that you do not do anything with the e-mail except than deleting it.

The e-mail is unrecognised spam

If you receive an unwanted e-mail that has not been recognised as spam by the system, and marked as such, you should forward the e-mail to the spam filter. This allows the spam filter to be trained to recognise the new type of spam.

It is critical that the original e-mail is forwarded as an attachment (simply forwarding the e-mail as text is not sufficient!) to spam@access.ironport.com.

Spam such as advertising and simple hoaxes, that does not pose a technical threat, does not necessitate any further steps after it has been forwarded. The messages can then be deleted.

The e-mail is an unrecognised phishing e-mail or contains an undetected virus

Unrecognised malicious e-mails are likely to have been sent to multiple recipients as spam. It is likely that some of the other recipients have been tricked by the e-mail, so it is important that the e-mail is reported to the IT-ServiceDesk as early as possible to limit the damage.

Please report the malicious e-mail by sending it as an attachment (simply forwarding the e-mail as text is not sufficient!) to servicedesk@itc.rwth-aachen.de AND spam@access.ironport.com. The e-mail can then be analysed and countermeasures can be enacted. 

If the suspicious e-mail cites an older e-mail, please forward us the original email as an attachment (simply forwarding the e-mail as text is not sufficient!) to servicedesk@itc.rwth-aachen.de, or please let us know the date of sending and the addressees of this e-mail. This will make it easier for us to analyse possible mailbox leaks.

Blog posts:

• CEO Fraud: When “Superiors” ask for Money

• Social Engineering – or: How we get tricked

• Safety first: Beware of Phishing Mails with RWTH names!

• Phishing Attack on RWTH-E-Mail Accounts: Data Theft –Not with us!