Blog entries

Phishing: Don’t be ashamed if you take the bait...

Phishing emails are becoming more and more sophisticated, both in terms of appearance and method, which poses a huge threat to our digital security and means we as individuals really have to stay on our toes. If you take the bait, there’s nothing to be ashamed of. The most important thing we can do is to to react quickly and be open about our experiences.

One Saturday not long ago, I got an urgent mail from the rector. At first glance, the mail looked credible, but my gut feeling told me to send him a text message just to be sure. As it turned out, the mail was a fake. I understand why people fall into these traps. Because cybercriminals are constantly developing ever more inventive and cunning ways to defraud us of our usernames and passwords. And this is why phishing is an increasing threat to IT security at Aarhus University.

As in my case, attacks can target an individual. But they can just as well target a group. Earlier this month, AU was subjected to just such an attack: a phishing mail purporting to be from Aarhus University’s library system was sent out to a lot of people. There was a link to an exact copy of the WAYF website, and recipients were instructed to change passwords. What was special about this attack was that it was launched while the Royal Danish Library was in the process of switching to a new IT system. The attack was apparently timed to reach recipients during a period when their defences were down. There are a lot of examples of this – not just at AU, but in the university sector in general. This summer, 500 employees at the University of Copenhagen were tricked into revealing their UCPH usernames and passwords on a fake website. The leaked data were then published online, freely accessible.

IT security is something we need to take seriously. As a university, we are particularly vulnerable – among other reasons because, as a research institution, we are required to be open and accessible. This doesn’t always rhyme with IT security. So it’s particularly important that we are constantly aware of this vulnerability in our daily work.

What each of us can do

And what can each of us do? We can be vigilant –and we can be open!

I like to think about our usernames and password as the key to our homes: if you give away your key, you’ve opened your door to thieves. The most important thing we can do as individuals is to be vigilant when someone asks us for our key online. Doublecheck the identity of the sender just to be absolutely sure. And if you have even the slightest doubt about the sender’s authenticity, contact AU’s information security unit, check back with the sender or ask a co-worker’s opinion. I’ve received mails that looked suspicious to me but that turned out to be legitimate. But better safe than sorry.

In addition to being vigilant, I also think it’s even more important for us to be open about phishing mails. Both in the event that we take the bait, and if we have the slightest suspicion that we might have done so. AU’s information security unit receives far fewer notifications than there are phishing mails in circulation. The sooner AU IT is informed about possible attacks, the earlier they can block the content and take the necessary precautionary steps. I don’t believe anyone falls for a phishing mail on purpose, and no one needs to fear punitive measures if they do. The better we are at talking about IT security, sharing our suspicions or unfortunate incidents, the better we will get at learning from our mistakes, preventing attacks and taking the right course of action if we accidentally take the bait.

The cybercrime threat level at Aarhus University has been assessed as high. As a consequence, we will be focussing on how we can make everyone more aware of this threat. In a cybersecurity campaign that will be rolled out next week, random students will receive a fake phishing mail. A similar campaign directed at employees will take place at a later time. We ran campaigns like this in 2018 as well as earlier this year. Analysis of the results shows that about 30% of the recipients opened the mail, while 10% clicked through the entire mail and handed over their username and password.

We know that this kind of campaign is effective because it increases our awareness of the problem. We all know based on our own experience how difficult it can be to detect phishing. So I’d like to encourage all of you to view these campaigns as periodic training in how to spot phishing mails, and a chance to refresh your knowledge about to handle them correctly. And we need to share these experiences with each other.

Together, this is how we can improve our IT security. 

If you want to learn more about information security and what to do if you take the bait, read more at