Heidelberg University
University Computing Centre Heidelberg logo

Recognizing phishing

This guide describes how to recognize phishing messages and distinguish them from spam.
If you have recognized a phishing message, please follow the linked instructions for reporting phishing messages.

Distinguishing between spam and phishing

Spam and phishing are two different types of unwanted emails. They differ in particular in their intent.

  • Spam is usually broad-based advertising or contains attempts at fraud.
     
  • Phishing, on the other hand, specifically aims to steal personal data—usually login details. This form of attack is usually tailored to a specific user group (e.g., customers of a bank, a parcel service provider, or even our university). It often imitates the corporate design of legitimate messages or uses a supervisor or important business partner as the supposed sender.

If the email you have received is spam, you can report it using the instructions linked on the right. In the case of phishing, please follow the instructions below for your email client.

Example of a phishing email

Example of a phishing email and the elements to look out for in Outlook and Thunderbird.

Recognizing phishing

You can already recognize most phishing emails based on the points marked in the example:

  1. Check the sender for anything suspicious. While most phishing emails are sent from unknown recipients, internal senders may be used or, for example, the name of a supervisor may be displayed.
     
  2. The text usually refers to a service that was actually used or communication that actually took place. In this context, negative consequences are announced if the recipient does not respond quickly. However, there is almost always a lack of concrete information, such as names or evidence to support the statements. One exception to this is spear phishing, in which a specific person is targeted with a lot of details about the process, e.g., in an attempted invoice fraud. If the email pressures you to take important action quickly, please make sure that all the information is true.
     
  3. If links are included, please first hover over them with your mouse. Only click on links once you have determined that the email is clearly trustworthy!
     
  4. Then check the address displayed. If it does not match the known address of the service or appears suspicious in any other way, caution is advised. An example of this would be https://exchange.beispiel.de/uni-heidelberg.de/owa/. Here, “beispiel.de” appears before the first slash “/” after “https://”. If you enter your data on this page, it will not go to the university but to an external site operator. The addresses of our services, such as https://exchange.uni-heidelberg.de/owa/, almost always have uni-heidelberg.de before the first slash. Therefore, only enter your university login details on pages whose domain ends with uni-heidelberg.de or which you are absolutely certain are operated by the university.

If at least one of the above points seems suspicious, you should contact the alleged sender using a known method (e.g., a saved phone number) and have them confirm the authenticity of the email.

Deutsch

IT Security