Detect malicious emails: HTW Dresden

JavaScript is not activated!

Please enable JavaScript in your browser!

Detecting pishing mails and mails with malware

Unfortunately, it is not possible to prevent malicious emails from reaching HTW-Dresden time and again. Mail addresses must be published for teaching and public relations purposes, and are therefore known.

Please delete such mails from your mailbox immediately!

Malicious e-mails include:

Pishing e-mails: Attempts to obtain the user's personal data via fake websites or e-mails in order to commit identity theft / to passwords
E-mails with malicious code (ransomware, Trojans, backdoors)

You have accidentally entered your password?

If you have accidentally entered your password on the linked address of a malicious mail, change it immediately via the HTW websites or on your domain PC. Instructions for changing the password can be found on the ZID web pages.

How do you recognise such mails?

Even one or two applicable points can be a sufficient indication of a forgery:

Fake / strange sender address / recipient address (e.g. the sender address is not an HTW email but e.g. a Gmail address, although the alleged sender is a member of the HTW).
- Attention, the sender can also be fake!!! A known sender is no guarantee of authenticity!
- Often similar addresses are used (e.g. amzon.com, instead of amazon.com)
- In Outlook, HTW-internal senders are displayed with last name, first name
- Make sure that the tone of voice matches the alleged sender
There are threats of consequences; e.g. a mail account deletion for not responding in 48 hours pressure from an alleged superior.
A strong sense of urgency is conveyed
Curiosity is aroused (the news is too good to be true)
meaningless subject,
missing of personal address,
the content is absurd or in bad spelling/grammar
- Attention! Due to the possibility of generating or translating the text with AI-supported tools, this need no longer apply
a copyright symbol in the text,
ominous external link,
missing of a closing salutation,
missing text signature,
the mail was sent during the night
Error in the official designation.
Missing PKI signature
- On the web page sign and encrypt you will find detailed information on sending mails with a signature and on how to recognise the signature.

Further examples of the distribution of mails with harmful content

Reply with a forged sender to a mail communication that really took place:
- E-mail traffic is easy to intercept if it is not encrypted. If in doubt, ask via another medium (e.g. via a phone call) whether the content or attachment is really relevant.
Mail traffic from an account hijacked at the HTW-Dresden with a real HTW sender address
- In this case, send an email to service.rz@htw-dresden.de so that we can block the hijacked account.

Überprüfung des Mail-Headers

Check in Outlook

To check the header of a message in Outlook:

Open the message with a double click
Click on the box for message options under the item Marks.
Under Internet headers you will now find the history of the e-mail traffic
Pay particular attention to the Received: from and MessageID fields.
You can find examples of forged sender addresses at the bottom of this page

[Translate to English:] Screenshot Outlook Nachrichtenoptionen

[Translate to English:] Screenshot eines Mailheaders

Check in Thunderbird

To check the message To check the message header in Thunderbird:

In the menu, select View --> Headers and there select All

[Translate to English:] Screenshot Kopfzeilen in Thunderbird anzeigen

Structure of a web address

How do you recognise a web address and its origin?

A web address has at least the following components (explained with 2 examples):

https://(1)www(2).htw-dresden(3).de(4)/(5)hochschule/organisation/rechenzentrum/arbeitsplatz-und-kommunikation/e-mail/signieren-und-verschluesseln(6)

https://(1)jobboerse(2).htw-dresden(3).de(4)/(5)jobsuche/(6)

1	http:// oder https://	Denotes the protocol http is unencrypted, please do not submit any confidential data to the website here https is encrypted
2	www jobboerse	Server name, can also be composed of several parts, with .separated
3	htw-dresden	Domain, on pages of the HTW Dresden always htw-dresden
4	Land	de=Germany com=commercial* org=organisation* net=Network management*
5	/	Any information can be placed after this /
6	Directory	the directory can have any depth and any name

*Can now be awarded to any operator

By moving the mouse over a link (no click!) the real link is displayed.

Here are three examples of a hidden link abroad:

Beispiele für gefälschte Links

[Translate to English:] Screenshot eines Links in die Türkei

This link suggests that it is linked to the HTW-Dresden.

However, when the mouse button is hovered over, an address in Turkey is displayed (recognisable by the .tr)

[Translate to English:] Pishing-Mail Screenshot

This mail has several spam characteristics:

It was sent in the middle of the night
It contains the threat that the account will be blocked in 24 hours and 7 mails are waiting to be read
the sender is not from the HTW
The link leads to Montenegro (.me)

[Translate to English:] Screenshot gefälschter Link mit HTW-Dresden im Namen

Even though in this case htw-dresden.de is included in the mail address, this is a link pointing to a web address in Greece.

All information after the first simple / designates only the directory structure and does not contain any information about the server!

[Translate to English:] Screenshot einer Pishing Mail

HTW-Dresden will not ask you to change your login data via a link.

This link leads to a completely different address.

Always change your password by going directly to www.htw-dresden.de --> University --> IT Service Centre --> User management and drives --> Change HTW-Login-Passwort or via a method described on the page "Hints on changing the password"