Security when working from home

Edit and send documents, compose emails, and organize and participate in video conferences: For most of us, working from home is the order of the day. For hackers, this is a cause for celebration. This is because the less well-secured private networks and devices make it easier to infiltrate the university network or spread malware.

We give you 8 tips on how you can better protect yourself and the University from digital viruses.

1. Separate professional and private life

Please use University computers exclusively for business purposes, even if it is convenient for checking private emails or surfing the Internet privately. Conversely, if possible, you should not use private computers and smartphones for work. In this way the University is better protected and it is easier for you to separate work from leisure time.

If you use your private computer or your private smartphone for business purposes on occasion, you should pay particular attention to a clear separation. The best way to do this is to set up a separate computer account without admin rights. This can be done very easily fast on both Windows and Mac computers. Your installed programs are still available.

Also, please make sure that after editing files, they do not remain on your private device. This applies in particular to system-related temporary files that are created, for example, when email attachments are opened.

2. Computer security

Install a virus scanner and make sure that the operating system, virus scanner, browser, Office, and Acrobat are always up to date.

Even at home, get into the habit of always activating the screen lock when you leave the computer.

3. Internet access security

Your Internet access at home should be as secure as possible. If you use WiFi, make sure you have a long, complex password of at least 16 characters. It is also recommended to limit WiFi access to known devices.

You should always activate VPN if you work in a foreign network, e.g. when visiting relatives, friends, or in a public hotspot. This will prevent your data traffic from being read.

4. Communication security

Much of the information that we exchange on a daily basis is rather uncritical. Important or highly confidential information, on the other hand, should always go through secure channels:

Email
In the case of email, this means encrypting or attaching files with a password.
>> All information about signing and encrypting emails
Messenger
For messenger services, you should use those with end-to-end encryption, such as MS Teams, Signal, Threema or, if necessary, WhatsApp, but not Skype or Slack.

5. Browser security

If you use a private device for business tasks occasionally, please always use a separate browser for work. For example, if you have been using MS Edge for everything so far, install e.g. Firefox and use it exclusively for professional purposes. Do not use any plugins, Flash or, if not absolutely necessary, Java in your working browser. Clear the cache regularly and do not store passwords in the browser.

6. Use your brain

Experience shows - and this is not meant to be rude - that the biggest risk factor is the person in front of the computer. Be careful not to open attachments, download files, or install programs carelessly. If you don't trust a sender or an Internet site 100 percent, it's better to play it safe and check back with another communication channel.

7. Recognize dangerous emails

If you receive an email that has one of the following characteristics, for example, you should become suspicious:

General greeting
“Dear customer ..."
Urgent request for action, unrealistic time pressure
With many suspicious emails, users have to disclose any data, visit Internet sites, or reply to the email in a few days or hours.
"If you do not update your data immediately, it will be irretrievably lost ..."
Threats, blackmail
"If you do not, we will be forced to suspend your account..."
Call for the release of confidential data
Password, PIN for your online bank access, credit card number

Lawyer or debt collection
Lawyers and debt collection agencies never send official letters by email.
"The subject of my assignment is to investigate the violation of the duty to inform committed by you on their website, in accordance with Article 13 EU-DSGVO, in accordance with the duties to inform previously regulated in various laws ...”
Bad German
incorrect punctuation
cyrillic letters, incorrectly written out or completely missing umlauts (a/ae instead of ä)

But beware: unlike a few years ago, many fraud attempts now have no linguistic shortcomings whatsoever. You should therefore be vigilant even with well-written text.

Examine file attachment

If you open a file attachment in a fraudulent email, you are almost one hundred percent certain to download malware onto your computer. Whether a file attachment is dangerous is not easy to determine in advance. Here it is absolutely important that you verify the sender. If this is not possible, here are a few tips:

Macros in Office files
In general, be careful when opening Office files. If you are asked to activate macros right at the beginning, cancel immediately.
Office documents from unknown persons
Do not open Office documents from unknown persons (applicants, ...). Have the documents sent to you again as PDF files.
File names
Make sure that your email program always displays the full file name: "bild.jpg" instead of "bild" or "studie.docx" instead of "studie". Attackers otherwise exploit this by sending you cloaked programs: You will be shown "image.jpg" and the true file name is "image.jpg.exe". When you click on such an attachment, the program is started immediately.

Verify sender

If an email seems suspicious to you, please investigate the sender address. The email domain is particularly important here, i.e. everything after the @ sign.

With a little research, you can quickly find out whether this is even an official email domain of the company. For example, Deutsche Bank will certainly not send any emails with the @gmail.com domain, and neither will our President.

In addition, you can also compare the email address with that from older emails. Or you can call the sender to find out.

Examine links

Before you click on a link, always check which destination address is displayed when you move the mouse over it and whether this address is plausible. Also pay attention to the correct spelling.

Examples of problems: UNI-H0HENHEIM.DE (zero instead of o), uni-hohenheim.serv.ru, PAYPA1.COM, ...

Please also note the recommendations for action against email fraud issued by the Baden-Württemberg State Office of Criminal Investigation.

8. Recognize dangerous websites

Fraudulent websites can copy a trusted website and trick you into entering confidential information. This could be the homepage of the University, a mobile phone provider, or a bank. Of course there are also false webshops or pages from false service providers.

Recognizing such sites is not always easy. If you receive an email that has one of the following characteristics, for example, you should become suspicious:

HTTP instead of HTTPS
With HTTPS, unlike HTTP, the traffic is encrypted. You can recognize HTTPS by a closed padlock in the navigation bar of your browser.

For many sites, it makes little difference to you whether HTTP or HTTPS is used. But as soon as you enter log-in data, place orders, or make other interactions, make sure to look for the padlock.

However, this is not a panacea. Some phishing sites may use HTTPS to appear legitimate. As a rule of thumb: If a website does not display this padlock, do not enter your password or credit card number.

Fake domains
Is the address plausible? Also pay attention to the correct spelling:
UNI-H0HENHEIM.DE (zero instead of o), uni-hohenheim.serv.ru, PAYPA1.COM, ...
Missing or incomplete legal notice
If a website has no or an incomplete legal notice, do not enter your password or credit card number there.
Malicious redirects
If you are immediately redirected to a completely different, especially a dubious, website, it is a malicious redirect. The original website was then faked or hacked. You shouldn't be on a site like this.

9. Security Zoom

Currently, Zoom is increasingly used for video conferences and online seminars worldwide. This popularity makes Zoom more interesting for hackers who want to entice you to install malicious software with fake meeting invitations. The other problem is that with the wrong settings, unknown "trolls" can join the meeting to share disturbing content.

Therefore please pay attention to the following:

Verify the meeting invitation
Check two things with invitations: verify the sender (see above) and the link to the meeting
correct: zoom.us
wrong: zoom.us.ru, Z00M.COM (0 instead of o), ...
Always create a meeting
Do not use your personal meeting ID for a meeting, but always create a scheduled meeting.
Closed meetings only with password
Define a password for each zoom meeting so that no third party can join the meeting.
Send invitations via a different channel
Do not send the invitation and password directly via Zoom. Instead, use email or another channel. You can copy the meeting access data from Zoom using the clipboard.

For public events

Prevent participation before the host arrives
Disable "Allow participation before the host" so that users cannot cause problems before you arrive.
Restrict screen sharing
Restrict screen sharing at the beginning of the meeting: Bottom menu [ Share Screen ] advanced sharing options [ Host only ]
Disable file transfer (Pro license only)
Deactivate "File transfer" so that no harmful files can be transferred, for example.
Verify links in chats
Malicious links can be placed in chats. Please look carefully before clicking on them.

Do you have questions or comments about this site? contact form