In this campaign, we explain what happens in the RZ when a phishing message is received and what the limits are.
What consequences could a successful phishing attempt have?
The attackers have access to a university ID and thus also to numerous other systems (file server, VPN connection, e-mail box, Seafile, QIS, ...).
Malware could have been installed on the computer, which, for example, spies on data, destroys it or causes further damage (encryption Trojan etc.).
The hijacked account can be used for "spear phishing". In this way, targeted phishing attacks can be sent from a supposedly secure university account to other university members.
The attackers also have access to the entire historical email correspondence of the hijacked account (external contacts, registrations, orders,...), which can be used for further attacks.
A university mailbox can be misused to send spam mails. This often results in the university's mail server ending up on block lists and thus temporarily no more e-mails from university addresses being delivered to mailboxes of other providers.
The publication of confidential documents could cause great damage and loss of reputation to the university.
An attack on the university infrastructure could paralyse it for a longer period of time and thus bring teaching and research to a standstill.
What do the data centres and the information security team do?
Report mails to Spamcop.
Train internal spam filters so that SPAM marking can take place. Read more here: https://www.hochschule-trier.de/rzht/it-dienste-infos/schutz-vor-spam-mails
Blocking university identifiers if they are currently being used for spamming.
In the event of particularly conspicuous phishing attempts, we will post a corresponding notice on the RZ pages.
Raising awareness among employees through awareness campaigns, the training portal and talks.
What are the data centres not doing and why?
Generally block sending addresses of phishing e-mails. Reason: the sending addresses are usually fake. If they were blocked, the wrong people would be punished. The blocking of sending addresses is done manually on the servers and must also be removed manually. In most cases, the effort exceeds the benefit, because a phishing e-mail is often sent from different fake sender addresses. Exception: if a large phishing wave comes from one address.
Filter phishing e-mails according to text features. Reason: the danger that the filter characteristics also apply to legitimate e-mails is too great. In addition, similarities in content, which a human being can easily recognise, are difficult to implement as automated filters.
What can I contribute to protection?
Please note the following info page: https://www.hochschule-trier.de/rzht/it-dienste-infos/phishing
Be sceptical of any e-mail containing an attachment or link. If you have even the slightest doubt about the authenticity of the message, contact the sender. Do not reply to the e-mail in question, but compose a new message with an address known to you or enquire by telephone. Alternatively, you can contact the Information Security Team.
Use the tool "Mattermost" for internal communication, e.g. in your team. https://www.hochschule-trier.de/rzht/it-dienste-infos/anleitungen/sonstiges/chat-teams-erstellen-unter-mattermost Establishing Mattermost at Trier University of applied sciences would make many emails unnecessary and make a significant contribution to protection against phishing.
Will the phishing emails ever stop?
Honestly? We are not very optimistic. As long as e-mail is the predominant communication medium and phishing attempts succeed in either obtaining a lot of money or valuable information, the problem will continue to exist. Unfortunately, this issue now ties up considerable technical and, above all, human resources in the data centres that are lacking elsewhere. Every successful phishing attempt makes the situation even worse. That is why your prudence and assistance will continue to be important in the future.
