Recognising dangerous emails

The University of Vienna is so kind to tell the whole world about your email address, and the world surely is making use of that information. It’s just that the world’s intention are, sometimes, bad ones.

There are malicious actors out there who want to trick you into disclosing your University of Vienna username and password, infect your computer with malicious software, get you to pay them money, or simply to visit their website.

Some of those emails are easy enough to recognise (”You have won $100,000,000 in the ACME Inc. Lottery! Just send us your credit card number, its expiry date, your CVC, and your date of birth by TOMORROW!”). This is no accident; the people who send these emails only want you to reply if you are gullible enough to fall for their schemes.

However, some of these emails are harder to recognise; above all, those that are crafted to trick you into revealing your username and your password or running malicious software. So here is checklist to help you decide whether you should trust an email.

 

Checklist

Whom is the email from?

If the email is not from somebody you know, be careful.

If you are suspicious, take the time to check what it wants you to do and whether it appears to be from somebody who can ask this of you legitimately. For example, if an email requests that you login into your University of Vienna account, does it originate from the University of Vienna’s computer centre? You can check whom an email is actually from by looking at the sender’s address. If it ends with “@univie.ac.atand the part in front of the “@univie.ac.at” contains “zid” (for Zentraler Informatikdienst) it is from the University of Vienna’s computre centre. Otherwise, the email is fraudulent.

A cursory look at the sender’s address won’t do! For example, a malicious actor may send an email from an address that looks as if it belonged to the University of Vienna, but that does not. They may, for example, choose email addresses that end in “@univle.ac.at” or “@univie.edu.”

However, the reverse does not hold true. There are ways to forge sender addresses. And malicious sometimes actors manage to get illegitimate access to legitimate email accounts.

 

Does the email request that I visit a website (or imply that I should)?

If the email requests that you visit a website (or asks you to do something that requires you to do so) and is not from somebody you know, it is likely fraudulent.

Again, check whether the email appears to be from somebody who can make that request legitimately (see above).

But don’t stop there! Also check whether the website the email asks you to visit makes sense. For example, if the email asks you to login into your University of Vienna account, then the domain part of the website’s address, that is, the part between “http://” or “https://” and the next “/”, must end with “.univie.ac.at”. If it doesn’t, it’s not a University of Vienna website.

Again, watch out for variations! For example, if the domain ends with “.univle.ac.at” or “univie.info”, then the website does not belong to the University of Vienna. The website’s domain must end with “.univie.ac.at” or the email is fraudulent.

The reverse does not hold true, however. There are ways to forge these addresses. Worse, the University of Vienna’s network is large, and hackers sometimes manage to gain access to one if its servers and may use that to trick you.

If you did visit that website (and you shouldn’t have), then you may notice that the website does not look like other University of Vienna websites. This is another warning sign. Again, the reverse is not true. We have already seen fake Univesity of Vienna websites that looked like the real thing. If you did enter your password on a fraudulent website, change it immediately.

 

Does the email request that I login somewhere (or imply that I should)?

If so, this email is likely fraudulent. Unfortunately, many companies, first and foremost Google, email people to request that they review their privacy or their security settings. Still, most organisations and companies never do that. The University of Vienna’s IT department never does that. There is no technical reason for an IT department or a company to ever ask you via email to login to your account just for the sake of logging in, “updating” your account, “confirming the security” of your account, etc. Note, an email may just as well ask you to do something that requires you to be logged in, rather than asking you to login upfront. If you did enter your password on a fraudulent website, change it immediately.

 

Does the email request that I open an attachment (or imply that I should)?

If so and the email is not part of an ongoing conversation, then it is almost certainly fraudulent. Never open attachments before you have checked whom they are from. Never open attachments from people that you don’t know. 

 

Does the email create a sense of urgency?

If so, the email is likely fraudulent. Malicious actors often try to scare you (“Your account will be disabled!”) or to create a sense of urgency (“Important message!”) in the hope that this will make you act on the email before you took the time to check whether it’s legitimate.

 

Does the narrative check out?

  • Are you referenced by name? (And is it your name?)
  • Do you understand what the email is about (or does it throw around jargon, leaving you only with a vague idea of why you are supposed to do something)?
  • Did you expect to receive an email in that matter (or does it come out of the blue)?
  • Do you know the other people that the email references?

If the answer to more than one of these questions is “No,” you should be suspicious. Again, the reverse is not true. A malicious actor may take the time to craft a good story or may even target you personally.

 

Examples

Example 1

Subject: DEANERY shared "schedule Oct-Dec(1).xls " with you.
Date:
 14.10.2019 14:28
From:
 DEANERY <mallory@freemail.example>
To:
 "userID@univie.ac.at" <userID@univie.ac.at>

Here's the document that DEANERY shared with you.
This link will work for anyone.[1]

Links:
------
[1] https://evil.example/abc/12345

You should notice five things about this email, from top to bottom:

  1. The subject mentions that “Deanery” wants to share a file with you? (Presumably, that’s the attackers best guess for “dean’s office.”) Do you expect the people who work there to use the wrong word to refer to their own department?
  2. Did you expect to get a file from “Deanery”?
  3. The sender claims to be “Deanery,” that is, a dean’s office, but “mallory@freemail.example” doesn’t look like an institutional email address. The sender certainly isn’t from the University of Vienna.
  4. The sender doesn’t address you by name.
  5. The email implies that you should visit a website; presumably, it will ask you to download malicious software from there.

This email is a good example for the rule that you should ignore (or delete) emails that (1) are from people you don’t know, (2) come out of the blue, and (3) ask you to visit a website or open attachment.

Example 2

Subject: CL meeting schedule.xlsx
Date:
16.10.2019 14:04
From:
"Smith, Maria" <noreply@somecompany.example>
To:
"userID@univie.ac.at"<userID@univie.ac.at>

Hi!
Thank you for offering to find rooms for me for this schedule.

I can eventually attached it!
https:‌//dw2.dropbox-eu.com/?abcdefghiklm123-userID@univie.ac.at-alongstringoflettersandnumbers

Thanks again
Maria

This example is similar to example no. 1. An email that is from (1) somebody you don’t know, (2) comes out of the blue, and (3) asks you to download a file. (In this case, it’s an Excel speardsheet that likely contains a macro virus.) Note, that the link contains a University of Vienna email address does not make it legitimate! The “univie.ac.at” part must occur between “https://” or “http://” and the next “/”.

 

In case of doubt

If you’ve read the list above carefully, you will have noticed there are no hard and fast rules to determine whether an email is fraudulent. You have to use your judgement. If you aren’t sure, please get in touch with the department’s IT support. We are also happy if you inform us about any fraudulent email you got, so that we can warn others; in particular if it’s a well-crafted one.