"Phishing" Email Fraud

Listen

"Phishing" refers to the fraudulent attempt to obtain sensitive data (personal and business) by posing as a trustworthy contact. Find out here how you can protect yourself against this threat.

Fake emails, websites or text messages (via SMS or WhatsApp) are used as tools for this digital data theft. Victims are often subject to identity theft, or dangerous malware may be installed on their devices via attachments.

When the digital mail carrier rings . .

vorschau-bild:falscher-postbote-liefert-paket

Video 1: The digital mail carrier Video 1: The digital mail carrier

Screenshot aus Video zu gefaehrlichen Links

Video 2: Dangerous links Video 2: Dangerous links

Video 3: Stress, Time Pressure, Euphoria Video 3: Stress, Time Pressure, Euphoria

Why would an attacker target me?

Even if you're not an IT expert, you might still be on the radar of cybercriminals.

Sensitive Data
If you have access to confidential information, such as student records, financial data, or confidential research data, you become an attractive target for attackers.

Your Credentials Are the Key
Your username and password could give cybercriminals access to critical university systems if they manage to steal these details.

Identity Theft
Attackers could steal your identity and impersonate you to conduct illegal activities or launch further attacks in your name.

Sensitive Emails
Your emails may contain confidential information that is highly valuable to attackers.

The Entry Point
Your computer or smartphone could be used by attackers as a gateway to infiltrate the entire university network.

Remember, security is a shared responsibility, regardless of your IT knowledge. Your vigilance is crucial in protecting yourself and the university from threats. Stay alert and learn to recognize phishing attacks to keep both yourself and the university safe.

Examples of past phishing emails at EUF

View phishing examples at EUF View phishing examples at EUF

Typical characteristics of a phishing email

Phishing emails can be identified through certain key features, some of which you can see here. "Good" phishing emails combine several of these features - for example, they might convey urgency or try to arouse your greed. Some earlier signs of phishing (like spelling and grammar errors) are now less common thanks to the increased use of AI.

1. They require urgent action

A common tactic in phishing emails is to pressure the recipient into acting immediately. For example, the email might say something like "We urgently need to transfer funds to company X today."

Examples:

Your PayPal account has been locked.
A DHL package could not be delivered.
You have received an official notification.
Data verification ("Your IT administration needs to check your access data. Please enter it here: ...")
Software update prompt ("Your Outlook is outdated. Click here ...")

2. They abuse your trust

Phishing emails exploit your trust in well-known companies, brands, products, services, or departments at EUF; the emails you receive in their name are not actually from those companies, brands, etc.

3. They seem to come from people or institutions you know

Phishing emails are sent in the name of colleagues, superiors, or acquaintances who urge you to respond. Since these are people or institutions you know, you are compelled to trust the fraudulent email and click on the dangerous link.

4. They mention current events

Phishing emails often reference current events, like:

Current COVID-19 measures
A damaged car in the parking lot
Requests for assistance by police officers
Storm damage on campus

The urgency of the supposed event might push you to respond immediately and click on a fake link, or divulge sensitive information (like your license plate number).

5. They play on your emotions

Particularly effective phishing emails will also engage you on an emotional level. They might invoke sympathy, touch on your personal interests, or raise health issues.

Examples:

A dog locked in a car during a heatwave
A missing cat
A death in the family

6. They play on your greed

"What? It's free? I'll click on that!"

Examples:

Free concert tickets
Lottery tickets
Supposed marketing campaign

7. They contain attachments

Phishing emails often advise you to check the data in email attachments.

This is particularly dangerous, because these attachments can allow malware to be installed on your device. The malware can then target your data, your computer - and even the whole university network.

Examples:

List of vacation days in Excel
Invoices
Vacation photos (e.g., in a ZIP file)

These file formats are particularly dangerous when sent as attachments:

.docx and .xlsx (Word and Excel files)
.xlsm (Excel files with executable content)
.exe
.zip and .rar

However, other file types can also be dangerous. Always ask yourself: Am I expecting an email with this attachment from this sender?

8. Neugier

"Es wird schon nichts passieren, nur mal gucken..."

Hier klicken!

How can I protect myself?

1. Always be sceptical

Be wary of any email that calls for urgent action on your part - for example, a request to change your password.

2. Does it even make sense?

"I didn’t order any package!" - Phishing links may also be disguised as package notifications. Delete such emails if you're not expecting a package, or if you were expecting one from a different mail courier.

3. Carefully inspect links before clicking:

Examine the URL closely:

Hover over the link (without clicking) to see the actual URL in the bottom corner of your browser or email client. Look for spelling mistakes or unusual characters that could indicate a fake, phishing-related website.

Be cautious of shortened links:

Shortened URLs (like bit.ly, t1p.de, or goo.gl) obscure the real destination and are frequently used by phishers.

You might also consider using this pro tip.

Frequently asked questions (FAQ)

Why am I still receiving spam and phishing emails, despite all these protective measures?

We are currently seeing an increase in malicious emails. Although our systems block over 90% of these emails, please be aware that 100% protection is technically impossible. Our security measures are continuously adapting to the current threat landscape.

What should I do with SPAM/phishing emails in my Outlook mailbox?

We recommend that you promptly delete suspicious emails. Alternatively, you can mark these emails as spam or junk by right-clicking on them. This will automatically isolate the messages by moving them to the internal Outlook junk email folder.

Should I report suspicious emails?

You are encouraged to report suspicious emails to postmaster-PleaseRemoveIncludingDashes-@uni-flensburg.de. Your reports will be used for analysis and may help us adjust our security systems so that they can detect and combat potential threats early on.

What should I do if I've clicked on a potentially harmful link?

Please change your password immediately. You can find instructions for changing your password on the Access data page. Report the incident promptly to ZIMT Service so that protective measures can be taken as soon as possible.

Downloads

Sophos Home Premium Security Software (Students | Employees)

Want to learn more? Here's further reading material. . .

Short videos on various IT security topics (in German) | Bundesamt für Sicherheit in der Informationstechnik (BSI) [German Federal Office for Information Security]
Phishing quiz (in German) | Karlsruher Institut für Technologie (KIT), Secuso
Key features of phishing emails (in German)| Verbraucherzentrale [Consumer Advice Center]