Skip to content
Menu
Technical University of Munich
Technical University of Munich

Who do you send confidential data to?

Assume you receive the following email from your boss

From: Hans Pongratz <HansPongrats@gmx.de>
To: Max Mustermann <max.mustermann@tum.de>
Subject: Urgent: Employee list required

 

Dear Mr Mustermann,

The president requested that I provide him with a list of all employees of the Campus Management Team.

Unfortunately, I only have restricted access to the TUM systems while on vacation. Please provide me a list of all employees, including their name, employee number, telephone number, email address, pay scale and contract termination date.

As usual, this is an urgent matter, so I need the information today.

 

Best Regards,
Hans Pongratz
--
Dipl.-Inf. Hans Pongratz
Vice President, TUM IT Systems & Services (CIO)

What would you do?

Obtain the data and answer the email, or are you a little skeptical?

A hacker can very quickly find all of the facts needed to make this email appear authentic on the Internet. Try it yourself.

Search for "Hans Pongratz" and look at his CV. You could probably find a suitable email recipient with relative ease by searching for the TUM Campus Management Team. Mr Mustermann is fictitious, of course.

Did you notice...?

Did you notice that the email appears to be from Hans Pongratz, although it was sent from a "gmx.de" account? There is also a minor spelling error in the name.

Unfortunately, gmx.de does not check whether the name and email matches the person, not to mention whether it is THE Hans Pongratz. Anyone can acquire such an address!

Why all the effort?

In this situation, a hacker who fools his victim this way could get his hands on sensitive data belonging to the members of a very centralized IT project.

What could he do with the information?

  • Attempt to bribe someone on a lower pay scale or whose contract is about to end?
  • As a member of another university, attempt to lure someone away from TUM because it urgently requires experienced people to launch Campus Online?
  • Or the hacker goes one step further and creates a profile on sites like Facebook/Xing/LinkedIn (potentially using Hans Pongratz's name if he isn't a member) and tries to network or become friends with employees. A wealth of confidential information has already been divulged on social networks, because people feel like they are in their private sphere.

What should you do in a situation like this?

  • First, take the time to consider if the situation is really plausible. Is the boss actually on vacation without access to the TUM systems?
  • When in doubt, call the (alleged) sender and ask if he really originated the email.
  • Send confidential data only to recipients you trust:
    in other words
    • to recipients whose email addresses are already known to you. Be skeptical of unknown addresses, even if they sound plausible.
    • The best approach is to send confidential data only to email addresses that end in .tum.de, @tum.de or @mytum.de. Avoid the use of private addresses if at all possible. Every member of TUM can set up an @tum.de email address and use it from anywhere in the world with the web frontend (https://mail.tum.de), even with a smartphone! Anyone who can send and receive emails with a web.de, gmx.de or gmail.com email address can do the same with an @tum.de account.
    • If possible, compress the data in a password-protected ZIP file and provide the password per telephone.
  • And, if you press "reply," check the email address of the recipient in the reply email. It is possible to configure an email with a reply address that is different from the originator address. In other words, the email could display pongratz@tum.de as the originator with HansPongrats@gmx.de as the reply recipient.
To top