Email filter to protect TU Delft from phishing

Phishing, a type of digital fraud in which criminals try to steal sensitive information such as bank and login details, is a growing problem. At TU Delft as well.

To combat phishing, TU Delft started using a new email filter last week called Proofpoint. Proofpoint checks the links in emails from third parties anywhere in the world and on any device that a staff member uses. The system thus protects computers, laptops, tablets, telephones and any other mobile devices both at TU Delft and at home.

Thousands of fake emails
Is an email filter like this really necessary? According to Marthe Uitterhoeve, Lead Security Officer, it is. “Thanks to alert staff members, the security team (part of the IT Department) catches a few hundred messages through abuse@tudelft.nl every month. Still, some fraudulent messages still manage to slip through.”

Last year the security team was suddenly confronted with four serious incidents in which alert staff members reported thousands of suspicious emails. In one case, the criminals even used the mailbox of a staff member to send other TU Delft staff members a phishing email. While this incident did not damage TU Delft, it did put a huge burden on the security team because of the huge numbers of messages that the abuse email address received.

Apart from an increase in fraudulent messages, the security team have also seen a few cases of associated ransomware where hackers ‘kidnap’ a computer and only release it after a ransom is paid.

Password theft is a regular occurrence too, says Uitterhoeve. “In some cases this is even about geopolitical espionage. Hackers try to mislead particular individuals, for example someone in a relevant subject area, with phishing emails.”

And my privacy?
While it is reassuring to know that TU Delft is protecting itself better, it feels as though there is always someone reading over your shoulder. But Uitterhoeve explains that we do not need to worry about our privacy. “The process is fully automated and the filter system runs in the TU Delft’s own data centre. This means that third parties cannot read the emails and that no emails go to external third parties. What does happen is that an automated system analyses attachments and URLs for malware (malicious software) in Proofpoint’s data centres. If they do not seem to be fraudulent, the attachments and URLs will not be saved. Among other measures, strict agreements have been made in a data processing agreement to protect privacy.”

Are we now free from malicious infiltration? “No,” says Uitterhoeve, “the filter is not 100% watertight. It does not recognise spaces in a link, for example in tudelft .nl. CEO fraud is also hard to trace.” CEO fraud? “This is a type of abuse where somebody pretends to be a colleague or manager with the intention of manipulating you to transfer money. It often uses email addresses such as name.surname.tudelft@hotmail.com. As the emails do not contain any links, they slip through the filter easily.”

So always be alert, recommends Uitterhoeve. If you want to know how, read how to spot a fake email here.

How does the new email filter work?

• The new Proofpoint filter runs on TU Delft’s email server and operates independently of the workspace or device. 
• The filter only scans messages originating from senders outside TU Delft.
• Attachments are scanned in Proofpoint’s European Data Centre in Germany. Any links in the attachments will also be analysed.
• URLs are re-written by the TU Delft email server and analysed once from the Proofpoint Data Centre in the United States. Should a link appear suspicious, the email address of the first click and the malicious link are recorded. It is important for TU Delft to know who the first person who clicked was so that he/she can be contacted to check if his/her system has not been further infected.
• All details are encrypted and cannot be traced to individuals by Proofpoint.
• Internal emails (from and to TU Delft email addresses) are not analysed or saved.
• A process contract between TU Delft and Proofpoint lays down agreements on the protection of personal data. The agreement is subject to Dutch law to comply with the GDPR. Proofpoint is Privacy Shield certified.