If you are uncertain about an e-mail, it should be treated as suspicious. Reasons to be suspicious can include the following:
- Marking as spam by your e-mail program or in the subject
- Unclear who the sender is
- Unwanted or unexpected e-mails
- Unexpected attachments
- Spelling or formatting mistakes
- Requesting a payment (e.g. to buy gift cards, invoices)
- Messages that try to imitate superiors in this context are known as CEO fraud
- Fake conferences can ask for registration fees or abstracts
- Links that you are meant to use to log in to an account
- Asking for login credentials, personal information or other sensitive information
- Putting you under pressure (e.g. through deadlines, demands for payment or accusations)
- Swearing you to secrecy or forbidding you from contacting the supposed sender
- The address of the sender or links in the e-mail contain suspicious additions, particularly at the beginning of the address/url
- The linked website is not secure (a warning is displayed next to the address line in the browser). Please do not voluntarily click any links in suspicious e-mails, even just to test them.
In case of doubt, suspicious e-mails can be set to email@example.com as an attachment. The IT Center can then assess whether the e-mail poses a threat and the type of threat where applicable. Please only forward the original e-mail to us, rather than forwards or e-mail chains that merely contain the e-mail. You should under no circumstances click any links in the e-mail or open attachments.
The steps that need to be taken when dealing with a suspicious e-mail depend on its type:
The e-mail is marked as spam
All e-mails that reach the RWTH Aachen University are checked for spam.
If such an e-mail is detected, it is marked with the text "***** SPAM *****" at the start of the subject line.
No further steps are required, provided that you do not do anything with the e-mail except deleting it. These e-mails have already been recognised as spam by the system and marked as such.
The e-mail is marked with "*****VIRUS REMOVED / ENTFERNT*****"
All e-mails that reach the RWTH Aachen University are checked for attachments containing malware. The same applies to e-mails which leave the RWTH via the server relay.rwth-aachen.de, relay-auth.rwth-aachen.de or smarthost.rwth-aachen.de.
If suspicious code is detected in an attachment, the attachment is replaced with the following text:
This attachment contained a virus and was stripped.
Additionally, the beginning of the subject line has "***** VIRUS REMOVED / ENTFERNT *****" added to it. No further steps are required, provided that you do not do anything with the e-mail except than deleting it.
The e-mail is unrecognised spam
If you receive an unwanted e-mail that has not been recognised as spam by the system, and marked as such, you should forward the e-mail to the spam filter. This allows the spam filter to be trained to recognise the new type of spam.
Spam such as advertising and simple hoaxes, that does not pose a technical threat, does not necessitate any further steps after it has been forwarded. The messages can then be deleted.
The e-mail is an unrecognised phishing e-mail or contains an undetected virus
Unrecognised malicious e-mails are likely to have been sent to multiple recipients as spam. It is likely that some of the other recipients have been tricked by the e-mail, so it is important that the e-mail is reported to the IT-ServiceDesk as early as possible to limit the damage.
Please report the malicious e-mail by sending it as an attachment to firstname.lastname@example.org and email@example.com. The e-mail can then be analysed and countermeasures can be enacted. Simply forwarding the e-mail as text is not sufficient.