If you are uncertain about an e-mail, it should be treated as suspicious. Reasons to be suspicious can include the following:
- The e-mail is marked as spam
- The sender is unclear
- The e-mail is unwanted or unexpected
- The e-mail contains an unexpected attachment
- Spelling or formatting mistakes
- The e-mail wants you to make a payment (e.g. to buy gift cards)
- Messages that try to imitate superiors in this context are known as CEO fraud
- The e-mail contains a link which requires you to log in
- The e-mail asks for login credentials, personal information or other sensitive information
- The e-mail tries to put you under pressure (e.g. through deadlines, demands for payment or accusations)
- The e-mail swears you to secrecy or forbids you from contacting the supposed sender
- The address of the sender or links in the e-mail contain suspicious additions, particularly at the beginning of the address/url
- The linked website is not secure (a warning is displayed next to the address line in the browser)
In case of doubt, suspicious e-mails can be set to email@example.com as an attachment. The IT Center can then assess whether the e-mail poses a threat and the type of threat where applicable. You should under no circumstances click any links in the e-mail or open attachments.
The steps that need to be taken when dealing with a suspicious e-mail depend on its type:
The e-mail is marked as spam
All e-mails that reach the RWTH Aachen University are checked for spam.
If such an e-mail is detected, it is marked with the text "***** SPAM *****" at the start of the subject line.
No further steps are required, provided that you do not do anything with the e-mail except deleting it. These e-mails have already been recognised as spam by the system and marked as such.
The e-mail is marked with "*****VIRUS REMOVED / ENTFERNT*****"
All e-mails that reach the RWTH Aachen University are checked for attachments containing malware. The same applies to e-mails which leave the RWTH via the server relay.rwth-aachen.de, relay-auth.rwth-aachen.de or smarthost.rwth-aachen.de.
If suspicious code is detected in an attachment, the attachment is replaced with the following text:
This attachment contained a virus and was stripped.
Additionally, the beginning of the subject line has "***** VIRUS REMOVED / ENTFERNT *****" added to it. No further steps are required, provided that you do not do anything with the e-mail except than deleting it.
The e-mail is unrecognised spam
If you receive an unwanted e-mail that has not been recognised as spam by the system, and marked as such, you should forward the e-mail to the spam filter. This allows the spam filter to be trained to recognise the new type of spam.
Spam such as advertising and simple hoaxes, that does not pose a technical threat, does not necessitate any further steps after it has been forwarded. The messages can then be deleted.
The e-mail is an unrecognised phishing e-mail or contains an undetected virus
Unrecognised malicious e-mails are likely to have been sent to multiple recipients as spam. It is likely that some of the other recipients have been tricked by the e-mail, so it is important that the e-mail is reported to the IT-ServiceDesk as early as possible to limit the damage.
Please report the malicious e-mail by sending it as an attachment to firstname.lastname@example.org and email@example.com. The e-mail can then be analysed and countermeasures can be enacted. Simply forwarding the e-mail as text is not sufficient.