RUG uses fake email to phish for ‘victims’

‘You have to create a new password’, the CIT service desk wrote in a fake email. But they fooled no one - well, almost no one.

‘Someone has just logged into your account from an unknown location.’ The email looks suspiciously real. It uses proper Dutch, the RUG logo, the sender is known, and it even includes a RUG link. ‘Phishing emails are becoming more advanced and believable. Especially fake emails sent by supposed banks are perfect’, says IT support employee Mark Meinema.

He created the email together with the project group Risk Awareness. Over the past few months, the group has bombarded everyone with emails, posters, flyers, and inflatable babies to tell us that we should be more careful with our data. Approximately 80 per cent of emails sent over the RUG network is spam. And that is mainly our own fault.

Scare tactics

RUG employees regularly open phishing emails without looking carefully. And that makes them attractive targets for criminals online. ‘We had this campaign last year as well. We started out with a phishing email. But some people thought those scare tactics were unpleasant, so this year we decided to first inform everyone and only send a phishing email afterwards’, says Willemiek van Baan at the Centre for Information Technology (CIT).


In December, all employees were warned that the group would send a fake email. They just did not say when. ‘And right at that moment people sent real phishing emails to the RUG network. We got a striking amount of reactions from employees. ‘Is this not okay?’ they asked us,’ says Meinema.

Employees are getting better and better at recognising bad emails. ‘That’s what we want, that human firewall’, says Baan. ‘People pay attention, warn each other, and call the Service Desk. Our goal was implementing a behavioural change, and we can now see that we succeeded.’

Off the hook

Last year, the help desk’s phone was ringing off the hook after the group sent an email with the subject line ‘Important RUG Information’. Out of approximately 6,000 employees, one-third had read it. This year, that was only 8.6 per cent. Last year, approximately 22 per cent (approximately 1,300 people) clicked the link in the email. This time, that was 8.5 per cent. ‘But the best part is that last year, eight per cent of the employees had filled out their personal details. That was only five per cent this time’, according to Baan.

So: mission accomplished. However, the situation last year cannot be compared to the one this year. Last year, there was no warning or campaign beforehand. But the conclusion still seems to be that people fall for spam less easily.


For anyone who does accidentally fall for spam, there are three clear rules, Meinema explains. ‘You can very easily check whether or not the link is legitimate. It will always refer to a safe http address. The domain name ends in And the address bar should contain a lock, so you know the site is certified.’

And that is what was missing in this particular phishing email: a period in the RUG address. ‘It’s really sneaky’, Meinema warns. ‘You don’t have to be a tech wizard to create this kind of email. It’s really simple, so you have to pay close attention.’

The Risk Awareness group did not get any angry reactions to their bad email this time. ‘We only got one from an older gentleman who had changed his password just to be on the safe side and then lost his new password,’ service desk team leader Nienke Bakker says.