Carinthia
"Everything began - as so often - with an e-mail. A company had an offer, it said. It looked so similar to all previous e-mails from the supposed sender that someone in the Carinthian administration opened it without a second thought. In truth, it was a phishing e-mail - a message that deliberately imitates the appearance of an e-mail from the pretend sender. In fact, it is infected with malware with the goal of gaining access to the IT system."[1]
Serious consequences
Delays in the payment of, for example
- Housing subsidies,
- salaries in the public administration and
- basic care for refugees.
Payments now have to be instructed manually. Passports cannot be issued or can only be issued with major delays. The public school administration program, which is needed to issue school reports, among other things, is currently out of order. In addition, master data on thousands of people has surfaced. Both of citizens and politicians.
It will take time to fully restore the IT infrastructure. The extent of the damage cannot be estimated at this time.
Realization
We - the TU Wien - could have been affected as well. The idea that our administration system for research and teaching at the TU Wien would not be available for a few weeks and what consequences this would have, especially for our students and the colleagues of TU.it and CSD, is very unpleasant. That is why it is so important to know how to recognize phishing emails!
Instructions and examples
Checking the following questions, should become a routine when dealing with emails:
1. is the message unexpected?
See picture 1
In this case, the e-mail was sent by the supposed head of the institute. Is it realistic for the head to write such an e-mail? Wouldn't he/she rather write to the secretariat? If in doubt, always ask a colleague if this makes sense and warn new colleagues if something like this lands in their mailbox.
2. Does the sender match the message and the TU Wien?
See picture 2
Is the term "INSTITUTIONAL COMMUNICATION" in use? Is there an "exchange manager" at the TU Wien and does this designation make any sense in general?
3. Is pressure built up and are you asked to transfer money or to enter your user name and password?
See picture 3
The colleagues at TU.it would not write to you with "Hello user". They would not tell you that a certain number of e-mails are currently unavailable. They would also not ask you to download your e-mails or enter your user data, and they would not scare you into losing your e-mails and all your e-mail data in general. Also, you should be skeptical if the sender is an "email server".
If you can answer "yes" to most of these three questions, it is probably a phishing e-mail. If you can answer "no" to most of the questions and/or if the e-mail contains a link or an attachment, you should continue with the following questions.
4. Is the link trustworthy?
If an email contains a link, check it WITHOUT OPENING THE LINK. If you hover over the link on a PC or laptop, the link will appear in the status bar or in an info box.
On mobile devices (smartphones and tablets), the procedure for identifying the web address of a link depends on the device and the application. Usually, you can see the address by keeping your finger on the link for at least two seconds. Then the web address will be displayed in the dialog box. Be careful not to click the link accidentally in the process. If you are unsure, wait until you are back at your PC or laptop. It is usually not that urgent.
It is best to test this procedure on an e-mail that is definitely not phishing to familiarize yourself with how to identify the web address on which device.
5. is the attachment trustworthy?
If the sender and content of a message are plausible in your view and this message contains an attachment, check whether the attachment has a potentially dangerous file format. This includes the following formats:
- directly executable file formats (very dangerous), e.g. .exe, .bat, .com, .cmd, .scr, .pif
- file formats that may contain macros, e.g. Microsoft Office files such as .doc, .docx, .docm, .ppt, .pptx, .xls, .xlsx
- File formats you are not familiar with
If you are not sure if you can open an attachment, call the sender before opening it BUT do not use the contact information provided in the email. Also, you can send the message as an attachment to phishing@tuwien.ac.at. TU.it colleagues will check whether a message is trustworthy or not.
Videos on the topic
If you prefer to watch videos on the topic, you can find very well prepared videos on phishing here (only available in German):
Links to explanatory videos (by Alexander Lehmann):
NoPhish Video I: youtu.be/v6cq70RR_lc, opens an external URL in a new window
NoPhish Video II: youtu.be/JYu07OcFzew, opens an external URL in a new window
NoPhish Video III: youtu.be/4Iui6rt0ELg, opens an external URL in a new window