Who hasn’t gotten one of these? An email in your Inbox announcing your “last chance” to protect your account from deletion or an email bluntly asking for “verification” of your credit card number, bank account information and even bank TANs. These emails appear to be sent from a trusted source, eg they make some effort to at least appear legitimate.
What they all have in common is that they all involve sensitive information and data. In the end, they can lead to misuse or theft of email accounts, portal accounts, bank accounts and credit card accounts or other valuable things.
- You are asked to provide “email account data”, “access data for social networks” or the like under the pretext of limited storage space, data reorganisation, maintenance, etc. Aim: Misuse of the email account in order to send spam or disguise other illegal actions.
- Requests to disclose “bank details” such as bank account number, webshop and payment service access data (typically Paypal), credit card number or even TANs for verification as a result of a putative problem. Aim: Enrichment.
- Requests in the guise of, for example, an “invoice” or “consignment tracking” via a link to navigate to a website or click on an attachment with the aim to infect the workstation PC or to get it under foreign control. Aim: Misuse of the PC and intrusion into the privacy of the user, spying on any information or in the extreme case extortion attempts by encryption of the local data on the PC or on network drives.
Phishing emails pursue different goals through their design and structure:
- A primitive form is appended in the email and must be completed and returned as an email.
- A link in the email pretends to be a link to the web site of the email or banking service provider, but it is not. The target is actually a malicious web site that simply collects the data for misuse.
- The email contains malicious code that exploits an error in the HTML representation in the email program or the accessed web browser, sometimes even without any virus scanner alert! This may actually put you at risk of infection by a virus or a “Trojan”!
- Any attachments that contain an Office document or a PDF or an HTML page, which sometimes has an infecting effect on the workstation PC and has the goal to get the PC under control. Here too, despite an installed virus scanner, an alarm, caused by the malicious code, my not be triggered, as it may simply be loaded unnoticed from the Internet.
Should there be any doubt as to the authenticity of an ostensibly “official” email or if the purpose of an email is unclear, the following procedure is recommended:
- Identify, analyse, and assess if it is a case of phishing using the features and instructions listed in the “Features of Phishing Activity” section above.
- In case of doubt, check whether the same or similar phishing emails are already known at the TU Wien (see below under "Known phishing variants") or perhaps even originate from the same "wave".
- Only for TU employees and persons of the TU student body: Report the incident to firstname.lastname@example.org with a copy of the phishing email, please only in the original as EML attachment (in common mail programs drag and drop message from the inbox list into a separate window of a new message to be sent).
- Isolate phishing email (delete, save) and make sure that no attachments or links are clicked, and do not respond to the email!
Reporting is an important step since it provides a basis for countermeasures for current or future waves of similar spamming. Spam usually affects only a few dozen or even a few hundred recipients, but by no means all.
Contact for staff or the TU Wien student circle for advice and reporting on phishing and email abuse:
- Johann Klasek, DW 42049 or
- Email to email@example.com (please do not send the phishing message itself or fragments of it - see message above - and only if really necessary, then as an EML attachment or in a file archive - e.g. ZIP or similar). - or similar).
The more these indications apply, the more likely it is that the email is a phishing email.
VERY IMPORTANT: In terms of content, the official institutions and bodies of the Vienna University of Technology *never* require a password in plain text, especially not by way of unencrypted emails. If necessary, links to relevant TU.it pages are contained in emails; however, in case of doubt, you should go to the TU.it web pages via manual entry of the address in the address bar or via the bookmark collection.
In the best case scenario, emails are now also signed by many TU employees with S/MIME or PGP and the email program of a recipient can easily verify whether the sender and their message is authentic. If this is not used, then a careful look at the “contents” is all that can be used to determine if it is a case of phishing:
- The detailed view of the headers (once made visible) in the “Received:” - lines only shows server addresses from the domain of TUnet, namely usually ending in “tuwien.ac.at”.
- The sender address (From:) or Reply-To-Address, shows an address ending in a tuwien.ac.at address (but not in the name field!).
- Any occurring URIs really refer to DNS domains ending in tuwien.ac.at - Watch out: the path part after the first “/” is not part of it - so “tuwien” can irritatingly often occur!
- In most cases, the email is personally addressed and should should contain your name in the email recipient field (To:). If several different addresses of other people at the Vienna University of Technology are listed, the email is probably *not* of official origin.
- The sign-off formula or email signature often contain inventive names for the sending organisation, which in any case have nothing to do with “TU IT Solutions”, “TU.it” or formerly “ZID”, “Zentraler Informatikdienst”, such as “Admin Department”, “TU security”, etc.
- Change your password immediately for the account that was compromised as well as for all personal and company accounts with the same password.
- As this is in any case a data protection relevant incident, it has to be brought to the attention of the data protection officer, preferably to the email address firstname.lastname@example.org, with notification of which systems were affected, eg in the case of upTUdate accounts the upTUdate Mail, TUfiles, ownCloud, ticket system etc.
- Also inform your IT contact person so that it can be determined whether Trojan or other viruses have also been introduced to your computer/tablet/phone in connection with the phishing attack.
© TU Wien
Ticketsystem Online Portal, opens an external URL in a new window
Hotline 01 588 01 42002
1040 Wien, Operngasse 11, EG
The Service Center can be reached digitally from 8 a.m. to 4 p.m.