If you are uncertain about an e-mail, it should be treated as suspicious. Reasons to be suspicious can include the following:

• The e-mail is marked as spam
• The sender is unclear
• The e-mail is unwanted or unexpected
• The e-mail contains an unexpected attachment
• Spelling or formatting mistakes
• Inconsistencies
• The e-mail wants you to make a payment (e.g. to buy gift cards)
  • Messages that try to imitate superiors in this context are known as CEO fraud
• The e-mail contains a link which requires you to log in
• The e-mail asks for login credentials, personal information or other sensitive information
• The e-mail tries to put you under pressure (e.g. through deadlines, demands for payment or accusations)
• The e-mail swears you to secrecy or forbids you from contacting the supposed sender
• The address of the sender or links in the e-mail contain suspicious additions, particularly at the beginning of the address/url
• The linked website is not secure (a warning is displayed next to the address line in the browser)

In case of doubt, suspicious e-mails can be set to servicedesk@itc.rwth-aachen.de as an attachment. The IT Center can then assess whether the e-mail poses a threat and the type of threat where applicable. You should under no circumstances click any links in the e-mail or open attachments.

The steps that need to be taken when dealing with a suspicious e-mail depend on its type:

The e-mail is marked as spam

All e-mails that reach the RWTH Aachen University are checked for spam.

If such an e-mail is detected, it is marked with the text "***** SPAM *****" at the start of the subject line.

No further steps are required, provided that you do not do anything with the e-mail except deleting it. These e-mails have already been recognised as spam by the system and marked as such.

The e-mail is marked with "*****VIRUS REMOVED / ENTFERNT*****"

All e-mails that reach the RWTH Aachen University are checked for attachments containing malware. The same applies to e-mails which leave the RWTH via the server relay.rwth-aachen.de, relay-auth.rwth-aachen.de or smarthost.rwth-aachen.de.

If suspicious code is detected in an attachment, the attachment is replaced with the following text:

  This attachment contained a virus and was stripped.
     Filename:
     Content-Type:
     Virus(es):

Additionally, the beginning of the subject line has "***** VIRUS REMOVED / ENTFERNT *****" added to it. No further steps are required, provided that you do not do anything with the e-mail except than deleting it.

The e-mail is unrecognised spam

If you receive an unwanted e-mail that has not been recognised as spam by the system, and marked as such, you should forward the e-mail to the spam filter. This allows the spam filter to be trained to recognise the new type of spam.

It is critical that the original e-mail is forwarded as an attachment to spam@access.ironport.com. Simply forwarding the e-mail as text is not sufficient!

Spam such as advertising and simple hoaxes, that does not pose a technical threat, does not necessitate any further steps after it has been forwarded. The messages can then be deleted.

The e-mail is an unrecognised phishing e-mail or contains an undetected virus

Unrecognised malicious e-mails are likely to have been sent to multiple recipients as spam. It is likely that some of the other recipients have been tricked by the e-mail, so it is important that the e-mail is reported to the IT-ServiceDesk as early as possible to limit the damage.

Please report the malicious e-mail by sending it as an attachment to servicedesk@itc.rwth-aachen.de and spam@access.ironport.com. The e-mail can then be analysed and countermeasures can be enacted. Simply forwarding the e-mail as text is not sufficient.

Blog posts:

• CEO Fraud: When “Superiors” ask for Money

• Social Engineering – or: How we get tricked

• Safety first: Beware of Phishing Mails with RWTH names!

• Phishing Attack on RWTH E-Mail Accounts: Data Theft –Not with us!