Notes on Phishing E-Mails

ZIM HilfeWiki - das Wiki
Die deutsche Version finden Sie auf der Seite Hinweise zu Phishing-E-Mails

Unfortunately, e-mail addresses from the university namespace are repeatedly misused to send spam and phishing e-mails. Please be suspicious if you receive an email that you cannot assign to any context.

Phishing[Bearbeiten | Quelltext bearbeiten]

One method of attack to obtain usernames and passwords are so-called phishing e-mails. Phishing refers to attempts to obtain an Internet user's data via fake websites, e-mail or short messages and thus commit identity theft. The aim of the fraud is to use the data obtained, for example, to plunder the bank account and harm the relevant persons.

This may well include targeted attacks, which may be embedded in conversation histories. Therefore, you should use the checklist below for every e-mail. With a little routine, just a few seconds are enough to prevent immense damage.

Am I a potential target?[Bearbeiten | Quelltext bearbeiten]

The answer is essentially always, yes. It is much easier for an attacker to gain access to systems via phishing than via attacks based purely on a technical attack vector. Even if you do not have access to important infrastructure credentials, significant damage can still be done with your login data. Simply having access to your email inbox can help an attacker inspire more trustworthiness, as they now have access to conversation histories and may also be able to use your email address.

Phishing is a significant threat. Simply by double checking or not rashly opening a link or file you don't recognize, you can prevent significant damage.

What to do if I have been deceived?[Bearbeiten | Quelltext bearbeiten]

If you have revealed your university account login information in a phishing attack, please change your password immediately. You can find instructions on how to change your password in the article
Changing the password.

It is important to make a report as soon as you suspect that you have been deceived by a phishing message. The only way to limit possible damage is for our experts to respond to such a situation as quickly as possible. The faster, the better.

There are three ways to make such a report:

Checklist for distinguishing spam and phishing messages[Bearbeiten | Quelltext bearbeiten]

  1. Check the sender
    • Is the email address really from the expected sender?
    • Can you verify the email address?
      • By comparing it with a known e-mail address
      • By contacting the sender (by phone or via a verified email address)
    • A legitimate sender alone is not a sign of a trustworthy email, as its email box may have been compromised by a possible attacker.
  2. Check the content (Does the content seem suspicious to you?)
    • Is the sender's message expected?
    • Does the email signal a need for action or urgency?
    • Are there any abnormalities in the formatting?
    • Is the salutation impersonal?
    • Does the email ask for passwords or personal information?
  3. Check the links (Are the displayed links trustworthy?)
    • What destination URL is displayed in the status bar when you hover over the link?
    • Does the domain match a trusted mail?
    • Is the domain spelled correctly?
  4. Check the attachment
    • Open files only if you consider them absolutely trustworthy
    • Beware of file formats, such as .exe or .bat
      • Invoice-18-05-2021.pdf
      • Invoice-18-05-2021.pdf.exe
    • Avoid activating macros in Microsoft Office documents at all costs
    • In case of doubt (e.g., even if you have a "funny feeling") make sure to contact the sender via an alternative way, e.g., by phone.

If even one of the above points arouses suspicion, contact the sender or delete the e-mail. If you are unsure, you can always consult a colleague.

Domains[Bearbeiten | Quelltext bearbeiten]

Where a link leads to is not always obvious. Therefore, here are some examples to make it easier to recognize the actual destination of a link and identify the actual sender.

None of the characters in the domain can be changed by an attacker. This means that you can only tell if a link is trustworthy by looking at the domain.

The section of the e-mail address that is not part of the domain is often exploited to give the appearance of trustworthiness, as even the text, for example, can be used in these areas by an attacker.

The most commonly used official domains of the University of Paderborn are and

Domain of a link[Bearbeiten | Quelltext bearbeiten]

The domain of a link is delimited by dots . and dashes /. Important are the characters before and after the last dot to the first dash. So, for the link the domain is


Domain of an E-Mail address[Bearbeiten | Quelltext bearbeiten]

The domain of an email address is enclosed by dots and the at-sign @. Important are again the characters before and after the last dot. So, for the e-mail address the domain is


Reviewing the Changelog of your university account[Bearbeiten | Quelltext bearbeiten]

In the Changelog you can check whether the statement of a warning mail about the suspension of your account is true.

Screenshot SP Menu.png

  • Open the ZIM service portal:
  • Log in with your university account data.
  • In the menu "User administration" select the item "Uni account (The access created after successful enrollment (students) or employment (employees) at the ZIM.) settings".

Screenshot Show Changelog.png

  • Then select the "Show Changelog" item and check the log for suspension processes.

FAQ and first aid in case of email phishing and other data leakage[Bearbeiten | Quelltext bearbeiten]

If you have been, or could be, a victim of a phishing attack, or sensitive data of yours has been exposed in some other way, you may face threats as a result. In such a case, many questions and emotions typically arise among those affected. The following overview is intended to provide some answers to possible questions and give advice on how to deal with them and the steps that need to be taken.

What consequences can the leakage of sensitive data have for me?[Bearbeiten | Quelltext bearbeiten]

It is conceivable that third parties could attempt to use stolen data for criminal purposes.

In case of outflow of contact information (e.g., e-mail address, phone number):[Bearbeiten | Quelltext bearbeiten]

The more information attackers have about a person, the easier it is for them to impersonate that person and "steal" their identity with malicious intent. This can lead to downstream phishing attacks, for example, in which attackers can fake a false sender and thus persuade other people (colleagues, business partners, etc.) to hand over sensitive data.

Note: The university email addresses are (especially for employees) often already published via the university websites and thus publicly known.

In case of leakage of login data incl. passwords:[Bearbeiten | Quelltext bearbeiten]

  • Third parties can log in to all services that use the leaked login information (university email, PAUL, PANDA, network storage, service portal, Personmanager, SharePoint, etc.)
    • thereby third parties gain access to further sensitive data such as e-mails, files, grades, ...
  • Furthermore, the manipulation of data, the loss of confidentiality of data, the violation of non-disclosure agreements (e.g., in research projects) as well as the theft of (research) data are possible as a result.

What should I do if my login data has been exposed (e.g., by phishing)?[Bearbeiten | Quelltext bearbeiten]

See: "What to do if I have been deceived?"

Examples of phishing messages[Bearbeiten | Quelltext bearbeiten]

From: University of Paderborn []
Sent: Friday, October 23 2015 00:51
To: winner
Subject: UPDATE!!!

University of Paderborn has released new version web-mail, 2015 edition.

This latest web-mail version comes with new and enhanced features secured and anti-spam protection.

It is recommended, please  click here today to migrate and enable the advanced security features.

© 2015 Informatics Service.
  1. Sender
    • Domain of the sender address is correct
    • Such e-mails from the ZIM usually come from
  2. Content
    • Unexpected e-mail
    • Suggesting the need for action, urging you to act quickly and rashly
    • Unusual formatting (email does not follow official formatting)
    • Impersonal salutation
  3. Links
    • The next step here would be to check the link provided (the true destination of the link will only be shown to you in the status bar of your email program).

      Date: Mon, Nov 10 2014 19:10:23 +0100
        From: Telekom Head of Customer Service <>
    Subject: InvoiceOnline month November 2014 (posting account: 5405293552).


     Telekom Head of Customer Service

     Your bill for November 2014

Good day,

     With this e-mail you will receive your current
invoice. The total amount in the month of November 2014 is: 166,92 EURO.

In the attachment you will find the requested documents for your mobile 
communications InvoiceOnline for November 2014. Your invoice for November 2014[1] - (PDF document).
     This message was sent automatically. Please do not reply to the sender's address.

    Yours sincerely

Ralf Hoßbach
Head of Customer Service

    © Telekom Head of Customer Service 2014 | Help | Contact | Privacy | T&C | Imprint
    Do you have a question for customer service? Then please use our e-mail contact form.

[1] (modified)

  1. Sender
    • The domain of the sender address is conspicuous for an e-mail that is supposed to come from Telekom.
    • If unsure, contact Telekom using contact data you have researched yourself.
  2. Content
    • Impersonal salutation
  3. Links
    • The domain of the link ( does not match an e-mail from Telekom.
  4. Attachment
    • With the conspicuous features described above, you should not open the attachment of this e-mail or only after very thorough consultation (via an alternative communication channel).

From: University of Paderborn <>
Subject: Urgent Notification!!!
Date: May 12 2014 02:35:18 CEST
To: Recipients <>
Reply to:

Dear User,

You are receiving this message from Your email account was
hacked / compromised and used for various spam / phishing activities 
Please click or copy universal following link and change your account details,


Please note that fail to do is resulting in the cancellation of your account. 

Webmail Team

  1. Sender
    • Domain of the sender address is correct
    • Such e-mails from the ZIM usually come from
  2. Content
    • Unexpected e-mail
    • Suggesting the need for action, urging you to act quickly and rashly
    • Unusual formatting (email does not follow official formatting)
    • Impersonal salutation
  3. Links
    • The text in the email could have been chosen arbitrarily (here http:/ only the link displayed in the status bar is the true target.

Can you recognize phishing emails?[Bearbeiten | Quelltext bearbeiten]

Test your IT security awareness via these products by KIT research group SECUSO (Security Usability and Society):

Further information[Bearbeiten | Quelltext bearbeiten]

Bei Fragen oder Problemen wenden Sie sich bitte telefonisch oder per E-Mail an uns:

Tel. IT: +49 (5251) 60-5544 Tel. Medien: +49 (5251) 60-2821 E-Mail:

Das Notebook-Café ist die Benutzerberatung des ZIM - Sie finden uns in Raum I0.401

Wir sind zu folgenden Zeiten erreichbar:

Mo Di-Do Fr
Vor-Ort-Support 08:30-16 Uhr 08:30-14 Uhr
Telefonsupport 08:30-16 Uhr 08:30-14 Uhr

Das ZIM:Servicecenter Medien auf H1 hat aktuell von Montag bis Donnerstag von 08:00-16:00 Uhr und Freitags von 08:00 bis 14:30 Uhr geöffnet.

Cookies helfen uns bei der Bereitstellung des ZIM HilfeWikis. Bei der Nutzung vom ZIM HilfeWiki werden die in der Datenschutzerklärung beschriebenen Cookies gespeichert.