Recognize phishing and act competently

Criminals send fake messages by e-mail and scatter false links in order to obtain access data and other confidential information. Phishing is the name of this process. The e-mails are increasingly cleverly adapted to original messages from, for example, mail-order companies or the HRZ service. But if you look closely, you can unmask the forgeries.

With the following steps, you can easily detect phishing. If you recognize that it is phishing during one of the steps, do not perform the subsequent steps, but report the mail directly, see “Phishing detected – What to do now?”.

The sender is plausible for a SECUSO e-mail, the sender is not.

Make it a routine to ask yourself when you receive emails:

  • Is the message unexpected?
  • Does the sender not fit to the message?
  • Is the form of the address incorrect or does it not match the sender?
  • Is sensitive data requested, such as date of birth, a password, PIN or TAN?
  • Are you asked to act quickly, for example to prevent data loss?
  • Are you asked to transfer money or to call someone, while the message contains the necessary information?
  • Do you not have a user account with the supposed sender?

The more questions you can answer with “yes”, the more likely it is a fraudulent message.

Special caution is required with sensitive data such as passwords. Authorities of the TU Darmstadt, including the IT security officer, admins or the HRZ, would not ask you to send your password.

By the way: Most of the questions above can also be applied to the telephone, fax or letter context. Phishing can occur here as well.

If the message contains a link, check where the link takes you, i.e., which web address – also called URL – is actually behind the link without opening the link.

A link can usually be recognized by the fact that the text is blue and underlined. However, links can also be integrated into messages in the form of buttons or images.

On PC and laptop, web addresses usually appear when you touch the link with your mouse without clicking on it. The link will appear either in the status bar or in an info box (also called tooltip).

For mobile devices (smartphones and tablets), the procedure for identifying the web address of a link depends heavily on the device and the app in question. Most of the time, if you hold your finger on the link for at least two seconds, the web address will appear in the dialog box. Make sure you don't accidentally click the link in the process. If you are unsure, wait until you are back at your PC or laptop.

It is best to test this procedure on a mail that is definitely not phishing to familiarize yourself with how to identify the web address on which device.

Once you have discovered the real web address, identify the who area in the web address.

The who area of a web address consists of the two terms separated by a period and located before the first single slash “/” (see image). The who area is the most important area, i.e. the most important indicator for detecting dangerous web addresses and thus messages with dangerous links. In technical language it is called “domain”. If there are numbers here, it is a so-called IP address and it is most likely a dangerous web address.

Example of a fake web address:

Once you have identified the who section in the web address, check whether the who section is related to the (supposed) sender and the content of the message, and whether it is spelled correctly. If the sender or subject does not match the content, do not click on the link. It is very likely to be a fraudulent message.

Attention. Sometimes phishing emails use links that resemble the original and are perceived as correct on cursory reading, for example instead of

If you cannot clearly assess the who area, you should obtain further information, e.g. using a search engine.

If the sender and content of a message seem plausible and the message contains an attachment, check if this attachment has a potentially (very) dangerous file format. Potentially dangerous file formats are:

  • directly executable file formats (very dangerous), e.g. .exe, .bat, .com, .cmd, .scr, .pif
  • file formats that may contain macros, e.g. Microsoft Office files like .doc, .docx, .docm, .ppt, .pptx, .xls, .xlsx
  • File formats you do not know

If the file format is potentially (very) dangerous, then open the attachment only if you expect the same from the sender.

If you are unsure whether you can simply delete the message, you should ask for more information. In doing so, do not use the contact options from the message under any circumstances. For example, call the sender.

If Office programs ask you to run so-called macros after you open them, this is a good time to reconsider whether the message from which the file originated is not a fraudulent message after all. Cancel the process for now. Contact the (supposed) sender using the contact details you know or have researched. Do not use the contact details provided in the e-mail.

Phishing detected. What to do, now?

Forward the email as an attachment to . Then delete the email.

How to forward an e-mail as attachment? See illustrated instructions from the HRZ.

Prefer a video?

Do you remember things better when you see pictures of them? Then take a look at the following two videos. They explain the steps for recognizing phishing and false links in a clear and understandable way.

Error: Loading of resource has failed

Go to original web page


Training offer of the research group SECUSO for the recognition of fraudulent messages: NoPhish course for citizens
(You have to register once on the page on the top right).

NoPhish Quiz: Do you recognize fraudulent messages?

Test your knowledge in the online quiz. The quiz has the format of a short self-test and serves both to raise awareness and to motivate you to deal with the topic of “fraudulent messages” and to gain basic knowledge. To the quiz

Online game Phishing Master

Playfully test your knowledge and crack the high score. To the game

  • Use an up-to-date virus protection program.
    The HRZ has licensed the virus scanner Sophos Anti-Virus for the university campus. Employees and students of the TU Darmstadt can use the software free of charge. Learn more
  • Only update your passwords in the central contact data administration via the official pages of the TU Darmstadt.
  • Check the security status of websites on which you enter personal information. Make sure that the URL begins with “https”. On secure pages that transfer data in encrypted form, a lock appears in front of the URL in the address line of the browser. You can find details on this on the phishing websites of the Federal Office for Information Security (BSI).

The contents of this page are based on the NoPhish concept: Awareness/education/training concept on phishing and other fraudulent messages of the research group SECUSO at KIT and are protected by copyright.