Aarhus University Seal / Aarhus Universitets segl

Information security: The yellow banner in your inbox will be removed

The yellow warning banner at the top of mails to AU employees from external senders will have a short life. AU IT has decided to remove it on the background of negative reactions from many employees. It’s still important that we’re all alert to the dangers of phishing mails.

2021.03.25 | Malene Hjulmand Bundgaard

On Tuesday 23 March, the university’s employees opened their email and found that something had changed. All mails from external senders were now marked with a yellow banner that read:    ‘NB! This email is from an external sender. Be aware of links and attachments.’

Many employees responded swiftly – and negatively – to this new feature, both on Twitter and by email. AU’s information security manager has received around 100 messages about the banner, the purpose of which was to alert employees to potential phishing risks.

AU’s Central Safety Committee (CISU) discussed the situation, and has decided to remove the banner.

“We discovered that the banner had a number of counterproductive consequences for a large proportion of our employees, who receive numerous emails from external senders every day. Fortunately, many of us are now aware of the need to be vigilant about phishing mails, and that we all need training in how to spot attempts at phishing,” explained Arnold Boon, university director and chair of CISU.

University paralysed by phishing attack

Phishing is a form of cybercrime: cybercriminals who attack from outside the university gain access to sensitive data or systems, for example by getting employees to provide their passwords or click fake links.

Such attacks can have very serious consequences, as Aalborg University discovered in the summer of 2020. The university was hit by a massive hacker attack that involved phishing. As a result, employees and students lost access to the university’s IT and data for two weeks, and 400 newly admitted students were unable to confirm their enrolment.

"The yellow banner was intended as a tool to improve security by reminding each employee to check for phishing. Phishing emails are often ‘disguised’ as internal emails are designed by cybercriminals to resemble mails from your manager or the IT department, for example. In such cases, the yellow banner would have reveal that the person who pretending to be an internal sender is actually someone else,” explained Thomas Kaaber, head of information security.

Too many of us take the bait

In recent years, AU's information security team has carried out four campaigns in which a fake phishing email was sent to a number of randomly selected employees and students. In the first three campaigns, 20-30% of the recipients clicked the link in the email. In the latest campaign, which was sent to 1,200 randomly selected employees, 50% clicked on the false link.

That percentage is much too high, according to Kaaber, so it’s necessary to take steps to reduce it – out of consideration for the IT security of the university and individual employees and students:

“Technical solutions such as antivirus programs, firewalls and two-factor authentication can get us part of the way – even though these things can also be a nuisance. But the most effective defence against phishing is for employees themselves to be aware that it’s a real and serious risk in their day-to-day lives. That is why training employees and students to spot phishing emails is a central task for us, so we can avoid ending up in the same serious situation as AAU. The yellow banner was a method that got people’s attention, for better or worse. We are now considering how we can keep employees focused on phishing going forward,” said the head of information security.

More information 

  • At https://au.dk/en/phishing you can learn how to spot a phishing email and what to do if you have accidentally clicked a link in a phishing mail.
Administrative, Administration (Academic), All groups, All AU units, Aarhus University