What is phishing?
Phishing is a fake email, often sent with the purpose of stealing login credentials and payment information, or identity theft. Most often, phishing emails are sent with a fake sender to make it look like the email is coming from an acquaintance or colleague. The intention is to gain trust and then trick the user into handing over information. Phishing can also be emails that contain attachments with malicious code that can delete or destroy data on the computer if opened.
Simulated phishing as a learning tool
In the spring of 2023, SDU conducted a simulated phishing campaign on all employees. The Executive Board has decided that this will be a recurring initiative. It is a key point of attention in relation to organizational information security. It is a key point of attention for the organization's information security, as the sector in general is under increased pressure, not least after Russia's invasion of Ukraine. It is also important for individual employees, as some of them are conducting research that may be of interest to foreign powers. The results of the campaign in the spring were that 19.2% clicked on the link in the email and provided their login information. We can already see an improvement in how skilled SDU employees are at catching phishing emails, as in the fall campaign only 4.8% clicked and submitted login information.
Methodology for phishing simulation
To run the campaign, SDU used Microsoft's security platform, which is an integrated part of our comprehensive Microsoft solution. During the campaign, it was recorded when a user clicked on the link in the email and whether login credentials were provided. All data was anonymized and aggregated into groups, each consisting of more than 5 people and categorized by cost numbers.
It is worth noting that information about each employee's 'clicks' was only available to two trusted employees within SDU IT, who extracted the data and carefully anonymized it. The anonymized data was then handed over to SDU Digital Compliance, which was responsible for data processing.
The aggregated data is shared exclusively through the management channel with local management, who are responsible for disseminating the information in collaboration with the local GDPR and information security coordinators. No managers or other employees will have access to data regarding individuals' clicks, if any, in connection with the campaign.
Illustration of the simulated phishing email
Can you spot all the mistakes?
5 tips to avoid phishing
- Check the sender - Is it someone you know? Or is it someone from an organization you know?
- Is it something you asked for? Or does the message seem credible?
- If in doubt, ask a colleague if they have received the same email or call the sender back. This is especially relevant if you suddenly receive an email from your boss about paying out large sums of money, also known as CEO fraud.
- If in doubt, you can also call the IT service desk at: 6550 2990 or write an email to the Service Desk.
- Your bank or insurance company will never ask you to update your information via email - if in doubt, it is always best to call and ask before entering any information.
Phishing is a fake email, often sent with the purpose of stealing login credentials and payment information, or identity theft. Most often, phishing emails are sent with a fake sender to make it look like the email is coming from an acquaintance or colleague. The intention is to gain trust and then trick the user into handing over information. Phishing can also be emails that contain attachments with malicious code that can delete or destroy data on the computer if opened.
Simulated phishing as a learning tool
In the spring of 2023, SDU conducted a simulated phishing campaign on all employees. The Executive Board has decided that this will be a recurring initiative. It is a key point of attention in relation to organizational information security. It is a key point of attention for the organization's information security, as the sector in general is under increased pressure, not least after Russia's invasion of Ukraine. It is also important for individual employees, as some of them are conducting research that may be of interest to foreign powers. The results of the campaign in the spring were that 19.2% clicked on the link in the email and provided their login information. We can already see an improvement in how skilled SDU employees are at catching phishing emails, as in the fall campaign only 4.8% clicked and submitted login information.
Methodology for phishing simulation
To run the campaign, SDU used Microsoft's security platform, which is an integrated part of our comprehensive Microsoft solution. During the campaign, it was recorded when a user clicked on the link in the email and whether login credentials were provided. All data was anonymized and aggregated into groups, each consisting of more than 5 people and categorized by cost numbers.
It is worth noting that information about each employee's 'clicks' was only available to two trusted employees within SDU IT, who extracted the data and carefully anonymized it. The anonymized data was then handed over to SDU Digital Compliance, which was responsible for data processing.
The aggregated data is shared exclusively through the management channel with local management, who are responsible for disseminating the information in collaboration with the local GDPR and information security coordinators. No managers or other employees will have access to data regarding individuals' clicks, if any, in connection with the campaign.
Illustration of the simulated phishing email
Can you spot all the mistakes?
5 tips to avoid phishing
- Check the sender - Is it someone you know? Or is it someone from an organization you know?
- Is it something you asked for? Or does the message seem credible?
- If in doubt, ask a colleague if they have received the same email or call the sender back. This is especially relevant if you suddenly receive an email from your boss about paying out large sums of money, also known as CEO fraud.
- If in doubt, you can also call the IT service desk at: 6550 2990 or write an email to the Service Desk.
- Your bank or insurance company will never ask you to update your information via email - if in doubt, it is always best to call and ask before entering any information.