Phishing
We all occasionally receive an email from an unknown sender, with content we weren’t expecting or that raises our suspicions in some other way. This is usually a fake email, also known as a phishing email. In fact, there are various types of phishing: it can also be done over the phone.
Risk of phishing
Phishing emails are only dangerous if you click on a link, open an attachment or reply to the email. By doing so, cybercriminals can install a malicious programme or hack into your computer to obtain data. Cybercriminals can make money by finding out your personal details via email and then abusing them. For example, by obtaining your login details for online banking and withdrawing money from your account.
Cybercriminals work hard to gain your trust. For example, they might copy the layout of Leiden University emails to make it look as though the email was sent by the university. Sometimes you might even see a screen that looks like a familiar login screen. Never reply to such emails; immediately delete them from your mailbox.
Want to learn to recognise phishing? Follow the e-learning module.
Check your emails for the six signs of phishing
1. The sender
How likely is it that the sender would send me an email? If in doubt, contact the sender using the details saved in your own address book or on the official website.
2. Email address of the sender
Verify the email address and the name of the sender. Pay attention to spelling or the use of other departments. Emails sent from a correct address may still be unsafe, so look out for other clues as well.
3. Salutation
Check the salutation. Emails with a personalised salutation are more likely to be safe.
4. Check the content
Check the content. Be vigilant if an email is unexpected or too good to be true. Phishing mails often convey a sense of urgency or threaten negative consequences.
5. Check links
Check the link. By hovering your mouse over the link, you can see which website it actually links to. The domain name of a website comes immediately before the first single slash in a link. In the example below, the domain name is therefore ‘universiteitleiden.nl’.
https://www.medewerkers.universiteitleiden.nl/ict
6. Attachment
Check the attachment. Only open attachments if you are expecting them. Pay extra attention to .zip, .rar and .exe files and files containing macros.
If you have doubts about the authenticity of a university email, contact the relevant department via the university website and do not click on the link in the email.
Reporting phishing
Report (potential) phishing attempts, data breaches and malware to the ISSC helpdesk (tel. 8888). You must also notify your supervisor of any loss of confidential data.
When reporting a phishing email to the ISSC, be sure to include the email as an attachment. You can do this as follows:
• In Outlook, click on “Home” in the top left.
• Then click on “Forward”, then on “More”.
• Here you will see the option to forward the message as an attachment.