Uh-oh… You clicked on a phishing email!

Click on the video to play (the video shows another example of a phishing email)

Don’t panic: this was a fake phishing email, staged by the Switch on Security campaign of Utrecht University. Please keep reading to prevent yourself from clicking on a ‘real’ phishing email.


Unfortunately, cybercrime has become a part of our day-to-day life. Cybercriminals regularly target Utrecht University. One of the most common cyber threats is the phishing attack. Worldwide, around 75% of all companies have been targeted this way, with a 95% success rate.

The more alert we are, the better we can protect your data and the data of the UU.

Read below how to recognize phishing in 5 ways

We all get phishing emails. They used to be very recognizable, but nowadays seem very convincing in design, content and timing. So how would you recognize a phishing email?

The images below are examples. They are different from the phishing email you have received now (or real phishing emails you will receive in the future).

1. Unclear or unofficial sender

Check if the email address in the ‘from:’ field is correct. Always check emails from your bank or IT department. An e-mail from the UU always ends with @uu.nl. Also always check with yourself whether you were expecting an e-mail from the sender: especially if you do not immediately recognise the sender's name. For example, do you know someone named 'Jan Goedhart' and were you expecting a document from him?

2. General greeting

If an email opens with general terms like ‘dear sir/madam’, or just "hi' or 'hello', then it’s pretty often a phishing email. Companies that you work for, or are a customer to, usually incorporate your first and/or last name. 

3. Odd language or weird design

In the ‘good old days’, phishing was recognizable in it’s terrible spelling and equally bad design. Today, phishing emails are quite convincing in both text and design. Nonetheless, always check for irregularities and compare the email with earlier received emails from that company or authority. A phishing email often urges for quick action to allegedly ‘prevent something from going wrong’.

4. Asked to click a link or open an attachment

Check links and copy them to your browser, as long as you trust the sender. Never open an attachment if the email is doubtful. Attached files using the extension ‘.exe’ or ‘Office files with macro’s’ (these often come in zip-files) are the most dangerous.

5. A question for personal data

No honest authority will ever ask you for your password, credit card information or pincode by email or phone. If this comes up in an email, it’s phishing. When you need to enter a password to log in, always check carefully that you are on the correct website: always check the website address (the URL).

Want to know more about phishing?

Check the student site (for students) or intranet (for employees).

Want to work securely? Switch on Security

Switch to working securely to protect your data and the data of Utrecht University. Have a look on https://www.uu.nl/switchonsecurity to discover the safe choices you can make today.