Be sceptical when surfing the web or reading email

Not everyone is who they pretend to be online. Fraudsters try to trick you into sharing your password, personal information or bank account information by pretending to be someone else. This can be achieved for example by falsifying sender's address in the e-mails so it looks as if the e-mail comes from your IT department or bank. See advice on e-mail here.

The e-mail is shown at the right side is a phishing e-mail that was sent to some e-mail addresses at Aarhus University in September 2010. Click on the image to see an enlarged version.

If you encounter a phishing e-mail, do not follow the instructions in the e-mail, just delete the e-mail.

How can you see that it is a phishing email?

• The e-mail invites the recipient to send their username and password. An employee at Aarhus University will never ask for your password in an e-mail, it is a sure sign of a phishing attempt.
• The e-mail has no AU design features such as logos or e-mail signature with contact information of the sender. This in itself is not a sure sign of phishing, but should raise suspicion.

But it's sent from an AU email address .. or is it?

The sender's e-mail address is stated to be "webmail@au.dk" but this is faked. One can not be sure that the sender address in the e-mails is correct, because it is technically possible to trick e-mail programs into accepting arbitrary, fictional e-mail addresses as the sender. It still makes sense to the malicious sender to fake the return address, as the e-mail’s "reply to" field is set to the sender's real e-mail address. If you are being cheated by this phishing attempt, a reply to email therefore end up with the malicious sender, and not webmail@au.dk. 

If the damage is done

If an accident occurs and you have sent your password, please contact your local IT support immediately so we can limit the damage and rectify the problem as soon as possible.