Recognize a phishing e-mail

Always be vigilant when you receive emails. Companies do not ask for personal information or account details via email. This also applies to the ICT or HR department of our university.

Accidentally clicked on a phishing link or think you recognize a phishing email? Please report this immediately.

Report a security problem

What is phishing?

A phishing e-mail is a fake mail that is often forged so cleverly that it is hard to distinguish from an authentic e-mail. Hackers "fish" for your data in this way or spread viruses that give them access to your data. Beware of strange requests from an 'acquaintance'. Sometimes hackers try to impersonate an acquaintance (e.g. a colleague), asking the addressee to share certain information. A typical example of this is a request to make emergency payments or buy gift cards for someone who is unable to do so themselves. When in doubt, always contact the person in question (preferably by telephone) to verify that the request is indeed from that person. And if you are asked for (confidential) information, always consider whether you are allowed/able to give it. If in doubt: don't do it!

How to recognize a phishing e-mail?

To recognize phishing messages, it always starts with whether or not you trust the message. If the sender is strange, you weren't expecting such a message in the first place, there are many errors in the language, or if it's a message that unexpectedly suddenly has great pressure behind it, alarm bells should ring immediately.

  • Always check the sender's e-mail address. This is done by hovering the cursor over the sender's e-mail address. With phishing e-mail, the sender is often an address that is vaguely like the real name of an organization or company
  • Only click on links after you checked if there are no strange things, such as weird characters or strange words in the URL. Check the URL (the address) of a link by hovering over it with your mouse (don't click, of course!). 
  • Open attachments only if you are expecting them and they have a reliable extension (such as .docx or .xlsx). 
  • Be extra vigilant when an email contains high urgency or a certain time constraint. Phishing often involves threats of dire consequences or high costs if you don't act quickly. 
  • Never respond to a colleague's private e-mail address. Anyone can create any email address.
  • When in doubt: don't do it! Contact the person in question by phone and ask if the request is genuine.
  • Be wary if you receive strange or unexpected requests, such as from a supervisor.

How does such a targeted phishing attack work? 

Targeted attacks, whereby names of colleagues are misused or someone poses as a journalist, are carried out regularly. This involves using e-mail addresses that resemble those of the person they are impersonating, but also hacked e-mail accounts of individuals. Initially, 'innocent' contact is made to see if someone falls into the trap, or confidential information is already requested. However, in a subsequent phase, files with malware can be sent to infect systems.

Note that the scammer may not directly want to hack you but aims to enter the organization’s network through you. So don't think: what can be gained from me in this organization? You could be the gateway, for example, to gaining access to the organization’s entire e-mail server.

Additional security measures 

The weakest link in phishing is humans themselves. As long as we do give others (consciously or unconsciously) access to our data under certain circumstances, there is no security that can stand up to it. To prevent incidents, security measures are constantly updated. An important new measure is that Outlook now provides a notification when an e-mail originates from outside our organization. Before responding to an e-mail or opening an attachment, always check the sender.

Now don't immediately distrust everything and everyone, but always be alert about the origin of a message. Rather take action to double-check a message or messenger more often than just clicking on that one link anyway.