Data phishers exploit existing security gaps in browsers, mail programmes, but also other software. Most manufacturers therefore publish updates at short intervals that close the gaps that have become known (“patches”). You should install these security updates as soon as possible. Many manufacturers provide information automatically. The Federal Office for Information Security (BSI) also provides further information in its newsletter “Sicher – Informiert” (Secure – Informed), which is published by the BSI’s BÜRGER-CERT https://www.buerger-cert.de/ every fortnight.
These points are particularly important:
Look for the lock symbol in the status bar of your browser. Only if this symbol appears, your data will be transmitted encrypted (with the SSL procedure). If you click on the lock symbol, a window (“certificate”) opens with information about the operator of the website. The name of the website given there must match the name in the status bar. In addition, the certificate must have been issued by a recognised body. There are now a large number of private and public providers of certificates. The Federal Network Agency is responsible as an authority and publishes on its website the names of those providers who have been checked by it. Your browser will display a warning message if a certificate has expired or has an insecure origin.
Make sure that the web address (URL, Uniform Resource Locator) in the address line begins with “https” and not with “http” as is usually the case – this is a clear indication that a connection secured by SSL has been established. Unfortunately, fraudsters can also forge the “https” in the URL. As a security check, it helps here to call up the “Page information” area after clicking with the right mouse button and look up the source there.
Use the NoPhish training of the SECUSO research group at
https://secuso.aifb.kit.edu/betruegerische_nachrichten_erkennen.php
Watch the SECUSO research group’s anti-phishing videos on YouTube.
More information here: Anti-phishing information and from the SECUSO research group at TU Darmstadt.
Banks, online shops and other reputable providers naturally know the tricks of the phishers and therefore never send e-mails with links asking you to enter confidential data. If you receive such a request by e-mail, you should delete it immediately. If you are unsure, simply call your business partner and ask – but never simply click on links in e-mails. The same applies, of course, to telephone calls – never enter passwords, PINs or TANs via the telephone keypad or voice computer if someone calls you and asks you to do so.
Do not click on links contained in e-mails, but always type in the Internet addresses of the pages you want to call up manually!
Do not respond to supposed calls from your bank or an alleged business partner asking you to enter your PIN or TAN – for example, claiming that your credit card has been lost.
Generally switch off the function “Run active content” in your browser. If you do not want to or cannot do without it (because some websites do not work without active content), set your browser so that it asks you in each individual case whether active content may be executed.
Only open e-mails and their attachments if they come from a trustworthy source.
Use a firewall and anti-virus software and make sure they are updated regularly.
Make sure that all software updates for the operating system and other software are installed as soon as they appear, use the automatic updates offered!
Watch the anti-phishing/fraud videos of the SECUSO research group on YouTube.
As a member of the TU Braunschweig, inform the GITZ immediately via the Service Desk! The staff responsible for security issues can follow up the incident and check whether any damage has been done. Otherwise: If sums have indeed already been transferred without authorisation, please contact the police immediately – in compliance with your employer’s regulations, if applicable.
Here you can test if your email address appears in one of the pwned data leaks/hacks:
“Have I been pwned?” info page.
More information at:
http://blogs.tu-braunschweig.de/it/e-mail-irrtum-4-phishing-mails-erkenne-ich-leicht-2/