How can I spot malware like Emotet or other Trojans? What makes HTML emails malicious? Why are smartphones so susceptible to phishing? What do I ALWAYS have to check before entering my login credentials?
Our tips and video tutorials are here to keep you safe. Detailed and background information is available in the links below. Subscribe to our InfoSec newsletter for updates to this website, adapted security assessments and warnings. Click here to subscribe.
The main gateway for malicious code, identity theft and fraud are emails with malicious attachments or links. Therefore: double check everything, even if you’re in a hurry. Poorly maintained systems can otherwise be easily compromised by malicious code.
Attackers usually want to trick you into downloading malicious code, they want your data and your money. To this end, they often imitate familiar emails or websites and tell a believable story. Some use your personal data to appear credible. Here’s what you should do:
When asked to enter personal data, to download or to open attachments, always apply the 3-second security check recommended by the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI): Are you familiar with the sender address? Are you expecting a document from this sender? Do the subject line and content of the email make sense? Does the link go to a page that you would expect?
No matter whether malicious code arrives via e-mail attachment, download link or USB stick, or whether malware spreads across the web from infected devices – keeping your system up to date and using antivirus software are indispensable safety measures.
Set up automatic updates for the operating system on each of your devices and, if possible, for all programs/apps, but most importantly for browsers and email clients. Robust antivirus protection is also essential. Both are often the last line of defence if you do fall for phishing or malware links.
Create regular backups of your IT systems. This will ensure you don’t lose your data and can access them as quickly as possible, even in the event of a virus or encryption. Make sure to:
Only install software from reliable sources, e.g. official app stores or manufacturer websites. In addition to the features you want, software may also contain malicious features (so-called Trojans).
Emails that put pressure on you and ask you to act quickly usually have sinister intentions: They ask you to activate your account; increase the storage space in your mailbox; pick up missed emails;... . Check them carefully and take the other tips to heart. Ask your colleagues, your admin team or the helpdesk for assistance.
Emotet emails almost always use previous email conversations that were stolen from other victims. Trusting their (fake) sender and their authentic content, users can be tricked into opening malicious documents or clicking on malicious links. Therefore, question the authenticity of even those senders you recognise, perform the 3-second security check and, if necessary, check with the sender through other channels.
The display name of an email can be set arbitrarily. If possible, use an email client that displays the complete sender address. Hands off if the sender address doesn’t match. But be careful, even the sender address can be faked. It is therefore always important to look at the entire email in context (see also: 3-second security check).
Responsible email users attach a digital signature to their emails. Digitally signed emails are checked by standard email clients that will display any discrepancies. You can also check the digital certificates used in the emails manually.
Use caution when trusted communication partners, team members and above all managers suddenly communicate via other channels, e.g. using a new (private) email address. Under no circumstances should private email addresses be used for official instructions.
Malware is often distributed via email attachments. If in doubt, you should ask the sender to verify any unexpected attachments, such as images, PDFs, Word, Excel or PowerPoint files, or ask an expert to check them. Don’t answer in the affirmative to macro or security queries for execution if you have even the slightest doubt.
Malicious macros can be easily transmitted in old MS Office formats (doc, xls, ppt, ..) and in the new macro formats (docm, xlsm, pptm, ..). You should only open such files after checking with the sender. New MS Office formats (docx, xlsx, pptx, ..) can also contain malicious code. Assume fraudulent intent if a macro query/warning is issued for such MS Office files. In any case, we advise a conservative configuration of Microsoft Office programs (German language).
Malware can also be transported in supposedly secure file formats such as PDF or images. Vulnerabilities in PDF programs are regularly reported. We advise a conservative configuration of PDF programs (German language) if it is necessary to open PDFs from unknown senders (e.g. when processing job applications).
Check any email links carefully before you click on them. Attackers often disguise third-party links by inserting “bochum” or “rub” – but the links lead to third-party servers. Don’t follow any unfamiliar links. If a link is embedded in an HTML email, you should always first hover over the link and check the address.
If possible, turn off the HTML view in your email client. Many emails may then no longer look fancy, but you will spot fake links much more easily. In most email clients, you can switch on the HTML view on a case-by-case basis if you trust the sender of an email.
Since HTML emails can also be used to transport malicious code and track recipients, we recommend that you do not use the HTML format when composing emails.
Only enter confidential data – especially passwords – on websites that you have accessed by typing in the address or via a bookmark. This costs time, but you will be one hundred per cent on the safe side. Attackers often imitate the login pages (e.g. RUB webmail, RUB Outlook web access.
If all you have is the link you received in an email, check the address bar of the browser – even if the website looks the same "as usual". Only enter your login credentials if you recognise the address of the website without a doubt.
Websites where you log in or enter any other data should always be encrypted. This is indicated by https in front of the web address/URL and often by a closed or green lock symbol in the address bar of your browser.
Information is often distributed via separate documents in order to preserve a specific layout. If recipients of the information are no longer supposed to edit the files, we recommend converting documents into PDF format. The latest MS Office programs offer PDF export options for this purpose.
If you frequently exchange files with groups or individuals, we recommend that you set up shared storage locations and download links in advance, e.g. Sciebo, network drives or Sharepoint. Depending on the tool, features such as joint editing of files, versioning of documents and automatic notification on updated documents can even offer considerable added value.
Before exchanging confidential content, e.g. personal data, make sure that the exchange method meets any data protection requirements. Personal data with a high protection requirement, for example, may only be stored on Sciebo in encrypted form. If the need for protection is particularly high, it is not allowed to store the information on Sciebo.
Email apps on mobile devices often only support HTML display of emails. And since you don’t have a mouse, you can’t see where the links take you. The solution is to tap and hold the link until the destination is displayed. Only click on links to trusted/known addresses.
On smartphones, email addresses of senders are often only displayed with their display name. To see the complete name, you can click on "Forward", for example.
Fake support staff or supposed police officers might try to contact you with fraudulent intent, especially when you’re working from home. Reputable support teams will not call you without a reason or authorisation, police and emergency services never use the emergency numbers 110 or 112 for outgoing calls.
Caller numbers are easy to fake. If necessary, check with your contacts by calling them in turn. Terminate any unexpected phone calls immediately. Do not install any software at the request of such unsolicited callers and never give out passwords or other confidential information.
Software applications and data centers worldwide are currently affected by a Java vulnerability called Log4Shell. RUB has taken immediate security measures.
Users are not the main target of attackers. However, since Java is also used on many consumer devices (e.g., IOT), caution is still required. Security updates for devices and applications should be applied as quickly as possible.
RUB News from 13 December 2021 (in German)
Service portal: FAQ concerning Log4Shell (in German; only available in the RUB network)
We have reported how real phishing emails may look on our news pages, e.g. here:
University employees hit by phishing wave (in German)
Phishing email requests validation (in German)
Watch out for smishing (in German)