Heidelberg University
University Computing Centre Heidelberg logo

Report phishing to the URZ

Contents

How to report a phishing message

We need the potential phishing emails in their entirety for further investigation, so please forward the email to phishing@urz.uni-heidelberg.deusing the following steps.

Reporting in Thunderbird

  1. Select the email and right click on the entry.
  2. In the menu, select "Forward and redirect."
  3. Select the option "As attachment."
  4. In the window that subsequently opens, enter 

    phishing@urz.uni-heidelberg.de

     as the recipient and, if necessary, add your own comments.
  5. Send the email.
The image shows a screenshot of the process described in the how-to.

Reporting in Apple Mail

  1. Select the email.
  2. Go to "Email" under "Menu."
  3. Select the option, "Forward as attachment."
  4. Enter the address 

    phishing@urz.uni-heidelberg.de

     as the recipient.
The image shows a screenshot of the process described in the how-to.

Reporting in Outlook

  1. Select the email.
  2. Click the three dots located on the upper right of the email display.
  3. Click "Forward as attachment."
  4. In the window that subsequently opens, enter 

    phishing@urz.uni-heidelberg.de

     as the recipient and, if necessary, add your own comments.
  5. Send the email.
The image shows a screenshot of the process described in the how-to.

This how-to describes how to report a phishing message to the URZ. We collect these reports and, depending on the threat level, may notify the university in a service announcement. When possible, we will contact the operator of the linked phishing site and request that it be deactivated.

Because it is very easy to create new email addresses on the internet, blocking individual senders is not effective. Therefore, we kindly ask you to refrain from making such requests.

If you are unsure whether a particular email is phishing and would like our opinion, please write a brief note to this effect in your email.

DifferentiateSpam and Phishing

Spam and phishing are two different types of unwanted emails. They can be differentiated based on their objective.

  • Spam is usually broadly distributed advertising or contains attempts at fraud.
  • Phishing, on the other hand, specifically aims to steal personal data, usually login details. This type of attack is usually targeted at a specific user group (e.g., the customers of a bank, a parcel delivery service, or even our university). This often involves imitating the corporate design of legitimate messages or using a superior or important business partner as the supposed sender.

If the email you have received is spam, you can report it using the instructions linked on the right. In the event of phishing, please follow the instructions for your email client as outlined below.

Example phishing email

Beispiel einer Phishing-Mail und der zu beachtenden Elemente in Outlook und Thunderbird.

Recognize Phishing

You can identify most phishing emails based on the points marked in the example:

  1. Check the sender's email address for anything suspicious. While most phishing emails are sent by unknown senders, it is possible that they may appear to come from a trusted source, such as a supervisor.
  2. The email's content usually refers to a service that is actually used or a communication that has actually taken place. In this case, negative consequences are threatened if action is not taken quickly. However, there is almost always a lack of concrete information, such as names or evidence to support the statements. One exception to this is spear phishing, where a specific person is targeted with a lot of details about a particular process, e.g., when attempting invoice fraud. If the email pressures you to take urgent action, please check carefully that all the information is correct.
  3. Do NOT click on any links until you have verified that the email is trustworthy! If links are included, first hover over them with your mouse to check the URL. If it does not match the service's usual address or appears suspicious in any other way, caution is advised. An example of this would be https://exchange.example.de/uni-heidelberg.de/owa/. Here, “example.de” appears before the first slash “/” after “https://”. If you enter your data on this page, it will not be sent to the university but to an external website operator. The addresses of our services, such as https://exchange.uni-heidelberg.de/owa/, almost always begin with "uni-heidelberg.de" before the first slash. Therefore, only enter your university login details on websites whose domain ends with uni-heidelberg.de or which you are absolutely certain are operated by the university.

If even one of the above points seems suspicious, you should contact the supposed sender via a known channel (e.g., using a saved phone number) to confirm the authenticity of the email. If that is not possible, we can provide an assessment of the email if you send it to us according to the following instructions.

Deutsch

IT Security