Aarhus University Seal / Aarhus Universitets segl

Internal phishing campaign to minimise the risk of fraud against AU staff

Phishing email messages are an ever-increasing problem, and they can be very convincing. AU’s information security team has decided to make an extra effort to generate awareness of phishing mails and help employees learn how to detect them.

2019.05.29 | Malene Hjulmand Bundgaard

Most of us would probably think, ok, this is a phishing mail if you received a mail from the only relative of the late king of Nigeria explaining that he just inherited 63 million dollars and needs a secure account to deposit the money in. And that naturally, you will receive a modest fee of 20% of the amount for letting him use your account!

But can you always spot a phishing email? The fact of the matter is that phishing mails have become so sophisticated that it can be very difficult to determine whether they actually come from AU, the tax authorities or another public institution. For this reason, we as employees need to be particularly careful in how we handle our mails. And the information security team is making an extra effort to help us learn how to spot phishing mails.

As part of this campaign, the information security team will send out a fake phishing mail to about 2000 randomly selected employees in June. The objective of the campaign is to train us in spotting these mails and in reacting to them appropriately. More specifically, a false phishing mail will be sent out asking us to disclose our AU username and password. This is a bit like handing over the key to your house to a burglar.

If you 'take the bait', you will end up on an AU website that explains what has just happened. This won’t have any negative consequences, and the information you have disclosed won’t be saved. However, it is important that you change your password if you do ‘take the bait’. You can help your colleagues by sharing your experiences with them, so that we can all become wiser and more aware of the increasing problem of phishing email messages.  

Typical characteristics of a phishing email

  • Requests that you act immediately – before your account is closed, before the money is withdrawn, etc.

  • Requests to disclose confidential information (for example, password and username) via a link in the email or by answering the email. 
  • Requests to open attached files.
  • Links which appear to be official or familiar at first glance, but which reveal a different destination when you hover your mouse over them.
  • Look at the sender address. On closer examination it may not be an official address, for example Aarhus University <aarhusuniversity12@gmail.com>.

Are you in doubt? 

If you think an email may be a phishing attempt, please contact your local IT support team. 
And remember not to click links and/or attachments. 

Fact box

Phishing is an attempt to ‘fish’ for confidential information from the recipient or trick the recipient into installing malicious software on his or her computer.

Administrative, Administration (Academic), All groups, All AU units, Administration, Technical / administrative staff, Health, Academic staff