Detection of Scam E-Mails

When dealing with scam e-mails, be it phishing or spam, everyone's vigilance is required. For indications on how to recognize such e-mails, go to the phishing and e-mail security section as well as the Checklist: How to Detect Scam E-Mails.

If you receive a suspicious e-mail related to the University of Münster (e.g., from an @uni-muenster.de/@wwu.de e-mail address or an e-mail address that looks confusingly similar or with content related to the University of Münster), please contact spam@uni-muenster.de and forward the corresponding e-mail as an attachment, preferably in its complete form. Do not reply to such e-mails and do not open any attachments or links!

  • General Recommendations

    In order to maintain the security of your e-mails and personal information, but also to protect your devices against malware, you should follow the recommendations below, both in the work and private environment:

    • Checking/sending e-mail should only be performed on trusted devices that are equipped with basic security measures (up-to-date software configuration and antivirus program).
    •     Make sure that the connection to the e-mail server is encrypted. For webmail (e.g. OWA or Permail), the address should start with "https"; for local email applications, SSL/TLS encryption should always be activated in the settings.
    •     Do not open unknown or unexpected file attachments. If the e-mail comes from a known individual, check before opening it, preferably by another method, whether the e-mail was actually sent by this person.
    •     Be particularly careful with links in e-mails. Even if you know the sender, you should examine links carefully (hover over the link and check the URL) before clicking on them. Do not click on links from unknown senders or possible scam e-mails.
    • Do not respond to possible spam or phishing e-mails under any circumstances. It is best to delete such emails immediately. If you are concerned that it may be a legitimate e-mail, contact the supposed sender by another method.

  • Recommendations for Work-related E-mails

    For work-related e-mails, some further recommendations must be considered:

    • The e-mail box provided by the University of Münster must always be used for work-related matters.
    • The automated forwarding of work-related e-mails to external -mail boxes is not permitted.
    • If possible, all work-related e-mails, especially e-mail messages sent to a large number of recipients, should be digitally signed.
    • If you send (strictly) confidential information, such as passwords, you also have to encrypt the e-mail (end-to-end). Transport encryption SSL/TLS encrypts the data only as far as the e-mail server.
    • End-to-end encryption of all messages is not recommended, as this also prevents access to the e-mails in replacement or successor situations.
    • Ensure that you enable central spam and virus filtering for your e-mail inbox to reduce the delivery of unwanted or dangerous e-mail. This can be set in the IT portal under " E-mail" --> "Protection against spam and viruses".
    • The use of the app "Microsoft Outlook" for Android and iOS is not permitted for accessing e-mails from the mail servers of the University of Münster. By using the app, you are, for example, disclosing your passwords to third parties, which violates the IT usage regulations of the University of Münster. Although the app uses the Microsoft Outlook logo, it originally comes from the company Acompli and stores login data on third-party servers outside the DSGVO area (see Heise). Here you can find instructions on how to access your Exchange mailbox alternatively with iOS or Android Mail. You can also access your e-mails directly via the browser of your (mobile) device using the Outlook Web App.
      The original Microsoft Outlook program (from the Office package) under Windows or macOS is not affected by this.

  • E-mail Signature and Encryption with Digital IDs

    Sending e-mails acts similar to the classic postal delivery of a postcard. E-mails are not encrypted or signed by themselves, so anyone with access to parts of the transport route can read or modify the content of the e-mail. Anyone with a bit of expertise can take a look at the postcard, i.e. read it, draw on the postcard, i.e. change it, and send postcards under a false name, i.e. fake them.

    At the University of Münster, digital IDs, also called user certificates, are used to sign e-mails, which allows a sender from within the university to be recognized as legitimate. Basically, signing an email digitally is like putting a postcard in an envelope and sealing it. Since only the owner of the seal can set it, anyone who recognizes the seal can confirm its origin. In addition, as long as the seal is intact, the recipient knows that the postcard has not been manipulated. In addition, e-mails can be encrypted end-to-end with digital IDs so that no one can read them during the delivery process. To do this, the recipient needs his or her own digital ID. More detailed information on this function can be found, for example, at the BSI.

    Efforts are being made to digitally sign all official e-mails from the University of Münster and, if possible, all other official e-mails as well. For this purpose, members of the University of Münster can apply for digital IDs free of charge in the IT portal.

    Every up-to-date e-mail application offers the option to automatically sign your conversations as soon as a digital ID is available, or to encrypt them if required. Signatures of received emails are also automatically verified and displayed with a seal if successful. For more information on applying for and using digital IDs, visit the CA's web pages.

    Applying for a digital ID
    Setting up a digital ID

  • Special Recommendations for Microsoft Outlook

    Disable the automatic loading of external media, such as embedded graphics, as they may contain malware or inform the criminals that the e-mail has been read:
    File --> Options --> Trust Center --> Trust Center Settings --> Automatic Download --> check "Do not automatically download images in standard HTML messages or RSS elements".

    Special Recommendations for Microsoft Outlook
    © Universität Münster

    Set the text-only format in your e-mail box:
    Outlook --> File --> Options --> Trust Center --> Trust Center Settings --> Email Security, select: "Read as text-only emails" and check each "Read standard messages in text-only format" and "Read digitally signed messages in text-only format".

    © Universität Münster