What is a Phishing Scam?
Phishing refers to the illegal attempt to obtain other people’s passwords and other login credentials. Phishing scams usually occur via e-mail. Very often, the e-mail addresses used to send phishing attempts are faked. Faking e-mails and e-mail addresses is as easy as writing someone else’s name on a postcard, so all aspects of suspicious e-mails should be examined carefully.
In most cases, phishing attempts will alert the recipient that some kind of immediate action has to be taken — often this action is some form of validation on a faked website. Once the recipients use their login credentials for this validation, their input is harvested by the scamming party and may be abused in the future.
Furthermore, phishing schemes usually threaten an adverse consequence for the recipient in case they do not comply with such validation requests.
This is designed to put the target under pressure so that they will be more likely to comply with the faked request.
As such, phishing scamsa are an example of an attempt at social engineering: a psychological manipulation that aims to make its victims take actions which they would refrain from in situations of lower mental pressure. Such actions often involve some form of disclosure of sensitive data or information, such as passwords, credentials or company secrets, but they may also be aimed at e.g. gaining physical access to non-public spaces.
However, this exploitation of human behaviour under (social) pressure is only the first step: account data and other information obtained through social engineering may be used as the basis for cyber attacks or other attacks on systems, services or devices.
Thus, phishing and other social engineering techniques usually have two traget levels. On the first one, the target is an individual person, and the second one is the infrastructure this person has legal access to.
This is why every single individual who uses an IT service or system bears a responsibility for the security of our IT infrastructure and should exercise caution when dealing with suspicious content or e-mails.
Phishing Scams: Questions and Answers
What does a phishing e-mail look like?
I have received an e-mail from my own e-mail address. Have I been hacked?
How should I react to a phishing e-mail?
I am not sure if the e-mail I received is a phishing attempt. Where can I ask for advice?
- Look closely: Which address was the e-mail sent from? Remember, e-mail addresses are faked easily. In case of doubt, check if you know the sender and reach out to them in a different e-mail, text message or call them. A quick phone call or a short message may prevent further harm.
- Be cautious: Never open text documents (e.g. docx files) or ZIP archives unless you are absolutely certain that they come form a legitimate source or the person who the e-mail purports they were sent from. Not even
- if you recognise that person’s name. Their name in the e-mail or the address is no evidence of them having actually sent the e-mail.
- if the e-mail seems to be a reply to previous correspondence.
- Do not click on links carelessly: Malware is very versatile and also may stand behind links that look authentic. Depending on the malware, clicking on such a link may bring disaster upon you and maybe even the IT infrastructure of your entire institution.
- Look even more closely: Where does a link redirect to — an official website of e.g. the University of Cologne or a dubious website such as www.weight-loss…?
- Use a secure virus check tool:
VirusTotal is a free online service that lets you check suspicious links for malware. You can access it here (this link should be safe to click on): https://www.virustotal.com/gui/home/url
- Use Windows Sandbox:
A sandbox is a closed part of your operating system, like an operating system within your operating system. This allows it to execute operations without potentially compromising your actual system.
- In case of doubt, (or if you accidentally clicked on a suspicious link or opened a suspicious attachment) contact your IT service, DP office or the RRZK help desk and request further advice and instructions.
Whereas the average phishing attempt is distributed to several hundred or thousand persons at the same time, there is another form of phishing that is highly targeted and, as such, more dangerous: Spear Phishing.
Spear phishing attempts usually are scam e-mails that are sent to as few as one individual person and contain highly specialized content that is tailored to the target’s interests, correspondences or work environment, which may look authentic even under closer inspection. As such, spear phishing is a particularly insidious type of scam. We have compiled a separate information page on Spear Phishing here.
Why can't technical spear phishing campaigns be completely prevented?
Since these are customized, individually sent e-mails and not a measurable mass mailing, no automatic is stake here that prevents the sending of such emails. Since the messages are adapted in each case and the attackers are mostly based abroad, a general blocking or tracking of such e-mails is technically very difficult at the moment.
What is giftcard spam? Scammers write to persons in the name of the superior (professor, management) from an external address (Gmail, Yahoo). They pretend that the matter is urgent. The victims are put under pressure and are persuaded to buy gift cards and hand over the gift card codes.
If you have any questions or problems, please contact the RRZK-Helpdesk