The University of Vienna is so kind to tell the whole world about your email address, and the world surely is making use of that information. It’s just that its intentions aren’t always good. There are malicious actors out there who want to trick you into disclosing your University of Vienna username and password, infect your computer with malicious software, get you to pay them money, or simply to visit a website. Some of those emails are easy enough to recognise (”You have won $100,000,000 in the ACME Inc. Lottery! Just send us your credit card number, its expiry date, your CVC, and your date of birth , and some blood of your first-born by TOMORROW!”). This is no accident; the people who send these emails only want you to reply if you are gullible enough to fall for their schemes. However, some of these emails are harder to recognise; namelyabove all, those that are crafted to trick you into revealing your username and your password or running malicious software. So here is checklist to help you decide whether you should trust an email.

...

If the email is not from somebody you know, it may be fraudulent. Check careful.

If you are suspicious, take the time to check what it wants you to do and whether it appears to be from somebody who can make that request ask this of you legitimately.

For example, if an email requests that you login into your University of Vienna account, does it originate from the University of Vienna’s computer centre? That is, does You can check whom an email is actually from by looking at the sender’s address end in . If it ends with “@univie.ac.at” and does the part in front of the “@univie.ac.at” contain contains “zid” (for Zentraler Informatikdienst) ? it is from the University of Vienna’s computre centre. If not, the email is not legitimate.

A cursory look at the sender’s address won’t do Watch out for variations! For example, a malicious actor may send an email from an address that ends in “@univle.ac.at” or “@univie.edu.” These are not legitmate.

Only addresses ending in “@univie.ac.at” are. If the sender is not legitimate, the email is certainly fraudulent. The reverse does not hold true, however. Just because the sender appears legitimate, the email may still be fraudulent. There are ways to forge sender addresses. And malicious sometimes actors manage to get illegitimate access to legitimate email accounts.

Does the email request that I visit a website (or imply that I should)?

If the email requests that you visit a website (or asks you to do something that, implicitly, requires you to do so) and is not from somebody you know, it is likely fraudulent.

Again, check whether the email appears to be from somebody who can make that request legitimately (see above).

But don’t stop there! Also check whether the website the email asks you to visit matches the requestmakes sense. For example, if the email asks you to so something that requires you to login into your University of Vienna account, then the domain part of the website’s address, that is, the part between “http://” or “https://” and the next “/”, must end with “.univie.ac.at”. If it doesn’t, then it is not a University of Vienna website.

Again, watch out for variations! For example, if the domain ends with “.univle.ac.at” or “univie.info”, then the website does not belong to the University of Vienna. The website’s domain must end with “.univie.ac.at” , nothing else or the email is certainly fraudulent. The reverse does not hold true, however. Just because the website appears to be the University of Vienna, the email may still be fraudulent. There are ways to forge these addresses. AlsoWorse, the University of Vienna’s network is large, some servers are run by individual departments, and hackers . And hackers sometimes manage to gain access to those from time to timea server and may use that to trick you.

If you did visit that website (and you shouldn’t have), then you may notice that the website does not look like other University of Vienna websites. This is another warning sign. Again, the reverse is not true. We have already seen fake Univesity of Vienna websites that looked like the real thing.

Does the email request that I login somewhere (or imply that I should)?

If so, this email is likely fraudulent. Unfortunately, many companies, first and foremost Google, have started to email people to request that they review their privacy or their security settings. Still, most organisations and companies never do that. The University of Vienna’s IT department never does that. There is no technical reason for an IT department or a company to ever ask you via email to login to your account just for the sake of logging in, “updating” your account, “confirming the security” of your account, etc. Note, an email may just as well require that ask you to do something that requires you to be logged in, so that you won’t wonder if you encounter a login maskrather than asking you to login upfront.

Does the email request that I open an attachment (or imply that I should)?

If so and the email is not part of an ongoing conversation, then it is almost certainly fraudulent. Never open attachments before you have checked whom they are from. Never open attachments from people that you don’t know. 

...

If so, the email is likely fraudulent. Malicious actors try to scare you (“Your account will be disabled!”) or to create a sense of urgency to get get you to overlook that the email is not (“Important message!”) in the hope that this will make you act on the email before you took the time to check whether it’s legitimate.

Does the narrative check out?

• Are you referenced by name? (And is it your name?)
• Do you understand what the email is about (or does it throw arround around jargon, leaving you only with a vague idea of why you are supposed to do something)?
• Do Did you expect to receive an email in that matter (or does it come out of the blue)?
• Do you know the other people that the email references?

If the answer to more than one of these questions is “No,” you should be suspicious. Again, the reverse is not true. An A malicious actor may be take the time to craft a good story or may even target you personally.

Examples

An Example

...

Example 1

Betreff:     Dringende Infos  DEANERY shared "schedule Oct-Dec(1).xls " with you.
Datum:     Mon, 14 Oct 2019 08:48:56 +0100
Von:     Studienzulassung@univie 14.10.2019 14:28
Von: DEANERY <juzhuo@juzhuo.net>
An: "userID@univie.ac.at <a12345678@unet.univie"<userID@univie.ac.at>
An:     Recipients <Studienzulassung@univie.ac.at>
Sehr geehrte/r
Sie haben 1 neue wichtige Planungsnachricht
Klicken Sie hier, um zu lesen  <https://forcerealty.com/cgi>
Danke,
Universität Wien
Universitätsring 1
1010 Wien
Dies ist ein automatisch generiertes E-Mail; bitte keine Antwort an diese Adresse schicken!at>

          Here's the document that DEANERY shared with you.

          This link will work for anyone.

          [1]

Links:
------
[1] https://chogoon.com/srt/4f2hn

You should notice five things There are many things to note about this email, from top to bottom:

1. The subject claims that the email is urgent (“Dringende Infos”).
2. It’s from a University of Vienna email address. But if you look more closely, you’ll see that it claims to be from Studienzulassung@univie.ac.at, but is really from a12345678@unet.univie.ac.at. That there are two different email addresses in the “From:” field is a warning sign in itself. (In this case, the real email address belongs to a student, whose account has probably been hacked.) What is more, the email address doesn’t match the narrative of the email. The email tells you about a “planing message,” but claims to hail from the department for student enrolment (”Studienzulassung”). Why would that department send you a “planning message” (whatever that is?). Are you involved in student enrolment?
3. The email is not addressed to you in person. (“Sehr geehrte/r”)
4. The email appears to be from some department of the University of Vienna, but asks you to visit a website that does not belong to the University of Vienna. You can see this because it’s domain part, that is, the part between “https://” and the next “/” reads “forcerealty.com”, so it does not end with “univie.ac.at”.
5. mentions that “Deanery” wants to share a file with you? (Presumably, that’s the attackers best guess for “dean’s office.”) Do you expect the people who work there to use the wrong word to refer to their own department?
6. Did you expect to get a file from “Deanery”?
7. The sender claims to be “Deanery,” that is, a dean’s office, but “juzhuo@juzhuo.net” doesn’t look like an institutional email address. The sender certainly isn’t from the University of Vienna.
8. The sender doesn’t address you by name.
9. The email implies that you should visit a website; presumably, it will ask you to download malicious software from there.

This email is a good example for the rule that you should ignore (or delete) emails that (1) are from people you don’t know, (2) come out of the blue, and (3) ask you to visit a website or open attachment.

Example 2

Betreff: CL meeting schedule.xlsx
Datum: 16.10.2019 14:04
Von: "Parsons, Michelle" <noreply@youtilita.co.uk>
An: "userID@univie.ac.at"<userID@univie.ac.at>

Hi,

Thank you for offering to find rooms for me for this schedule.   I can eventually attached it!
https://dw2.dropbox-eu.com/?73TE8nod7aaI5eaW-a1140479@univie.ac.at-dDi8Oo12312bO3I3Ez7iTOt4TiaI1sxY1OexrLZaasdd1234145nf8iG47oAy2PJOE46576opeOlH25EHp6ks66u078saahCg7taUu8Uto603aso4zTAagIOioag4KwiocFoAYat42

Thanks again
Michelle

This example is similar to example no. 1. An email that is from (1) somebody you don’t know, (2) comes out of the blue, and (3) and ask you to download a file. (In this case, it’s an Excel speardsheet that likely contains a macro virus.)The points 2 and 4 of this list are each sufficient on their own to judge this email fraudulent.

In case of doubt

If you’ve read the list above carefully, you will have noticed there are no hard and fast rules to determine whether an email is fraudulent. You have to use your judgement. If you aren’t sure, call the sender by phone. (If you can’t, then you don’t ‘really’ know the sender and should regard the email as more suspicious for it). You can also ask us, the department’s IT support, for our opinionplease get in touch with the department’s IT support. We are also happy if you inform us about any fraudulent email you got, so that we can warn others; in particular if it’s a well-crafted one.