Currently, there's an increasing number of so-called ClickFix attacks (also known as Fake-Captcha attacks) being observed against members of the University of Münster. This attack method lures users to manipulated websites that display seemingly harmless Captcha prompts, error messages, or verification requests (e.g., "I am not a robot," "Please verify you are human," or "To fix the problem, please follow these steps"). Entry often occurs via manipulated search results, compromised websites, phishing emails, or advertisements. Instead of a genuine Captcha check, users are instructed to perform a dangerous action or key combination.

Anyone who executes these steps unknowingly starts malware on their device or unwittingly grants attackers access to services. Attackers use this to steal login credentials, session cookies, or other sensitive information, or to permanently compromise the system. Often, stolen credentials are then used for further attacks. Similar variants exist for macOS and Linux, prompting users to execute commands in the terminal.

The media have recently reported repeatedly on phishing attacks carried out via the messaging services WhatsApp and Signal.
If you have forwarded security codes in the messenger or scanned a QR code, you may be affected. The German domestic intelligence services provides detailed information, particularly on how to detect a potential compromise, at https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/praevention_wirtschafts-und_wissenschaftsschutz/2026-04-27-phishing-via-messenger-services.html
This is not a compromise of the Signal messenger itself. Signal therefore continues to be classified as secure (for private use).

In this context, the Ministry of the Interior of North Rhine-Westphalia also warns against using the Russian messaging service MAX. This app provides Russian security authorities with maximum access to digital devices. If you install the MAX app on your own device, you must therefore expect all stored information to be passed on to the Russian security authorities. You should therefore not install this app on devices on which you process work-related data.

A number of apps and programs are not permitted to retrieve emails from the University Münster mailboxes (both via Exchange and IMAP or POP).

The list currently includes the following applications:

• Outlook-App for Android and iOS
• Outlook for MacOS (when using IMAP with CloudSync)
• The "new Outlook" or "Outlook (new)" (the Outlook version pre-installed under Windows 11)
• Edison Mail
• Newton Mail
• Spark Mail
• BlueMail
• Xiaomi Mail/MiMail
• Canary Mail
• myMail
• Mail.ru

The new Outlook version will replace the pre-installed e-mail program in Windows in 2024, and later also the classic Outlook from the Office package. The new version synchronizes data with the Microsoft Cloud when using IMAP or POP (Exchange is not affected), which means that e-mail content and passwords are transmitted to Microsoft.

Several attempts of targeted scam via e-mail have been observed over the past few weeks. In those cases directors of different departments have been impersonated to send out e-mails with requests for assistance ("Are you available?").

The Microsoft Outlook app for Android and iOS and the Edison Mail app (all platforms) are not permitted for accessing e-mails from university e-mail accounts (via Exchange, IMAP or POP). By using these apps, you are passing on information such as your passwords to third parties.

When setting up IMAP accounts with Microsoft Outlook for macOS with the option "Synchronize with Microsoft Cloud" enabled by default, passwords and e-mail content are forwarded to the Microsoft Cloud (see Heise). This means that sensitive data is no longer confidential, but is transmitted to Microsoft.