Phishing
Phishing
targets access data like passwords (
password
harvesting &
f
ishing), but there are also similar emails that are purely about fraud
(
scam).
The 3 last registered Phishs or Scams:
- 15.10.2024:
Password Notification for Tugraz on 15 October, 2024 (Tugraz)
- 8.8.2024:
Wichtiger Hinweis (IT Support)
- 15.05.2024:
Available? (Name eines/einer OE-Leiter/in)
You can find the older
phishs in the
archive.
A current phishing attempt is not yet on the list? Then please report it, otherwise simply delete the email!
We only warn explicitly (by email etc.) about phishing attempts if they are exceptionally well done or if several people have already responded to them. In addition, we only list attempts to access TU Graz accounts here, phishing attempts on other accounts (bank data, Paypal, …) can also land in your TU Graz mailbox, but we are not responsible for this.
|
Most phishing attempts lure users (mostly via email, but increasingly also in social networks) to web pages that may be deceptively similar to TU Graz pages (logo, corporate design, webmail interface, …) in order to entice users to enter their account data there.
Attention: Even viewing such a website can lead to an infection of your computer, because such pages may also contain embedded software that exploits vulnerabilities of your browser! (Drive-by-Download).
Another variant asks you to disclose your data via email.
Unfortunately, it is hardly possible to automatically detect and filter all phishing emails, as they usually do not have the typical characteristics of spam emails (which are now detected with a very high hit rate).
However, we never ask users to provide us with their password by email (see also the rules of thumb below). Furthermore, in addition to our SSO pages https://sso.tugraz.at/ and https://auth.tugraz.at/, we only ask you for your TUGRAZonline access data on the following pages on the web, whereby the servers on this list (where technically possible) will be successively converted to SSO:
(hellgrau … in Umsetzung)
- ivpn.tugraz.at - VPN-Lösung für Institute der TU Graz
- rds-webaccess.tugraz.at - das RDS-System (Terminal Service) der TU Graz;
alle von dort erreichbaren Systeme sind mit einem 2. Faktor geschützt.
The following services are for network access and therefore use the network access password and are not part of SSO:
- https://vpn.tugraz.at - SSL-VPN of TU Graz
These pages are all protected by HTTPS and the certificates are issued to TU Graz.
If you still fell into such a trap, please change your password immediately - the only place where this can be done is your TUGRAZonline business card (Services - Change password). Report to us that you have fallen into the trap, but that you have already changed the password to prevent us from blocking you on suspicion!
Phishing Rules of Thumb
- A Windows 8.1 computer (or even older) is not only unsuitable for working
with confidential data, such a computer has no place on the Internet.
- A Windows computer that is also used by other family members is not
suitable for working with confidential data.
- A Windows computer that contains at least one non-legally purchased
program or game or file-sharing software is not suitable for working with
confidential data.
- Before starting the computer brain up - never vice versa.
- When the computer starts Windows and at some point has finished booting -
immediately press "Windows Update", then update the virus scanner -
but pronto! - to the latest version.
- Before opening Outlook, use your brain and process this causal conclusion:
"TUGRAZonline never sends out emails in which members of Graz University
of Technology are requested to enter data in online forms".
Therefore, "If I receive an email from TUGRAZonline asking me to enter
data into online forms, this email does not come from TUGRAZonline, but from
a gang of scammers."
- Repeat process.
(translated from: Futurzone, modified for TU Graz)
7 Tips on Phishing
by Niklas Hellemann und Markus Schaffrin (quoted from the homepage of
Verband der Internetwirtschaft
eco.de)
adapted to TU Graz:
- Be constantly aware that cyber criminals could try to gain access to
TU Graz systems with your help at any time.
Participate in training sessions on a regular basis.
At TU Graz, participation in annual awareness training courses on
cybersecurity is mandatory for all employees in accordance with
rectorate decision 027 of 9 April 2024.
- If you are unsure whether you might have become a victim of a phishing
attack, please report it immediately to your "EDV-Beauftragte",
to it-support@tugraz.at or
to it-security@tugraz.at)
and forward the corresponding email.
If the email is not marked as spam or suspicious,
report the email.
Also inform them if you have shared critical information over the phone.
- Never share personal information such as passwords, credit card or
transaction numbers via email, messaging service, social media or over the
phone.
This sounds obvious, but you are more vulnerable to manipulation, influence
and deception in the home office.
- In general, avoid clicking on links in emails that lead to
log-in pages.
Instead, save addresses to frequently visited pages in your browser's
favorites list or surf to the page mentioned in the email from the
organization's home page.
- Do not click on any links that you receive via SMS.
It is especially easy to fake the sender here.
Smishing is a method of attack
via text message or SMS calling to follow a link or call a number.
It is better to surf the sender's site directly in the browser.
- Never launch a download link directly from an email unless you are 100%
sure.
Instead, if possible, always start downloads directly from the provider's
website or from the homepage or ftp server of TU Graz.
- Before you open files attached to an email, make sure that the email
really comes from a trustworthy sender.
In case of doubt, contact the sender by phone to make sure that the email
really comes from him or her and point out the possibility of digital
email certificates.
Do not use the telephone number given in the email, but check the official
homepage of the organisation! The telephone numbers displayed for TU Graz
have also been faked; if you are not sure, call the number.
Tips for Email Security