Main Content

Phishing

The picture shows a fisherman hook fishing a letter. The text reads: Fischerman Fritz phishes fresh passwords.
Image: Staff Unit Information Security

What is phishing?

With phishing, hackers try to obtain your account data without authorization. This is usually your username and password. A phishing attack always follows the same pattern. We explain how such an attack works and how you can stop the attackers.

An e-mail with a dubious link

In most cases, you will find an e-mail in your inbox asking you to do something urgently. For example, you should click on a link and log in as soon as possible, because your inbox is full and otherwise you won't be able to receive any more e-mails. From the attackers' point of view, what you should never do in this situation is to think too much. Here we show you two examples of phishing emails in the name of IT support that members and affiliates of Philipps-Universität have received in the past.

Example 1 (German)

We have marked in red how you can recognize the phishing e-mail: the sender and the implausible name in the signature. The e-mail's language is also not quite correct.

Example 2 (English)

In this example, there is no direct salutation by name. In addition, pressure is built up.

Of course, the link in the e-mail does not take you to the login page of the university webmailer, but to a fake page of the attackers. If you enter your data there, you serve them to the attackers on a silver platter.

This is how you protect yourself:

  • Stay calm and don't react in haste, even if it's supposed to be quick. Take the time to think about the e-mail.
  • Do you know the sender? Does it make sense that she or he would write to you? Call the person if you are not sure.
  • Many phishing e-mails are still written in bad German or English and sometimes have a flippant salutation. These e-mails are not genuine.
  • Check the links in the e-mail before you click on them. To do this, you can hover over them with your mouse or right-click and copy and paste them into a search engine first.
  • If you are expecting a link to the university webmailer, you should not be presented with a page like www.webhostapp000.com/uni-marburg/login.
  • Open known websites via bookmarks in your browser.
  • Attackers usually fake their sender's address, so: take a close look at who the e-mail really comes from.
  • On the last point, a short explanation for advanced users:

    Check the sender's email address as follows:
    - Outlook: More> View message source
    - Thunderbird: More > View > Message source (Ctrl + U)
    - Uni-Webmailer: More > Message Source
    Look at the lowest Received block that does not include localhost and compare it to the "From:" field below it. If the e-mail is supposedly from a member of Philipps-Universität, you should not find any external server names in these fields (e.g. mailer.webhostapp000.com).

The fake website

The "quality" of phishing pages varies significantly. Sometimes attackers create exact copies of Philipps-Universität login pages, as the two examples below illustrate:

Example 1 - Login ILIAS

You can identify the fake by the red bordered URL in the address line of the browser. It leads to the page edunm.me, which clearly has nothing to do with our learning platform. Furthermore, the real login page is in German.

Example 2 - Login webmailer

You can recognize the fake by the red bordered URL in the address bar of the browser. It leads to fortress.ru, a Russian site unrelated to Philipps-Universität. In addition, the connection is shown as not secure. You can always reach our university webmailer via a secure connection, which is displayed with a green lock in the address bar. Also here the language is set to English by default, for the real Uni-Webmailer it is German.

If it has already happened...

In stressful situations or with well-crafted phishing e-mails, it can happen that we get caught in the net by the attacker. It is then important that we react correctly and quickly to prevent greater damage. Therefore:

Immediately change your password for the concerned account! Afterwards:

Keep calm & report an IT emergency.
Please contact your IT administration and/or:

IT emergency phone number: 06421 28-28281
E-mail: it-sicherheit@uni-marburg.de