On a Friday morning in August, DTU Library staff are gathered in a meeting room at Lyngby Campus, Building 101. The atmosphere is relaxed, colleagues chat over coffee while software developer Mikkel Sjølund Pieler prepares to present a home-made karaoke song about phishing.
Before the summer break, employees participated in a simulated phishing campaign where they received fake emails that looked like real phishing attempts to raise awareness about safe digital behavior. Today they will be presented with the results of that campaign.
"I thought that if we’re going to remember this, it should be fun," Mikkel says before pressing play. Music and laughter fill the room as the text scrolls across the screen: “We didn’t click the link.
Now we are cyber heroes, phishing count is zero.”
New employee took the initiative
The idea came about eight months ago when Mikkel Sjølund Pieler brought up cybersecurity at a morning meeting shortly after being hired. Here he demonstrated to his colleagues how easy it can be to hack a computer with a simple USB stick.
With his presentation, he hoped to strengthen the safety culture among the library’s 45 employees:
"It starts with small habits like locking your screen when you leave your computer," explains Mikkel Sjølund Pieler, who thought that focus on the topic was lacking in the workplace.
Head of Library Gitte Bruun Jensen embraced Mikkel’s idea and started a dialogue with the Department of IT Service (AIT) about the possibility of participating in a simulated phishing campaign.
"We wanted to help test the concept and provide AIT with knowledge about what works," she says.
Recognizing the phishing email as suspicious
The campaign required employees to recognize the phishing emails as suspicious, report them via the “Report Phishing” button in Outlook, and participate in a short online course.
Alongside the phishing campaign, Mikkel Sjølund Pieler worked with the Department of IT Service to put up posters in the lunchroom, toilets, and hallways with messages such as 'Lock your screen', 'Think before you click' and 'The biggest threat comes from human error'.
According to the Head of Library, the purpose of the phishing campaign is to increase employees’ awareness of safe digital behaviour, not to expose or monitor them.
"We’ve been very clear with our employees that it’s not about assigning blame, but about learning," says Gitte Bruun Jensen.
She emphasizes that the results are treated anonymously, and all employees get access to course material regardless of whether they fall into the trap or not.
Interest and doubts
The phishing campaign raised both interest and technical questions. Despite a thorough introduction from AIT, doubts arose about the correct handling of phishing emails.
"There was just some doubt: ‘Should I click on the phishing email to get to the course’. ‘No, no. After all, it’s a test. ‘Don’t click it, report it’," Gitte Bruun Jensen explained repeatedly to employees.
Several people also asked how to report a suspicious email via Outlook and what happens if you simply delete the email without reacting.
Encouraging results
During the test period, Mikkel Sjølund Pieler has observed several positive changes in his colleagues’ behaviour:
"They are more aware of suspicious email senders and don’t just click on unsafe links. They talk about these things together, which increases the overall cybersecurity focus. I think that’s great."
The results of the campaign are encouraging. The percentage of employees reporting phishing has increased from 42 to 68 per cent during the test period. A clear improvement.
At the office meeting in the conference room, an employee raises their hand and says: “I've learned that it’s not enough to delete suspicious emails—they also need to be reported in Outlook." Mikkel Sjølund Pieler and Gitte Bruun Jensen nod with satisfaction.
Threat landscape expanding
The Head of Library sees cybersecurity as a growing challenge—also for the university sector:
"There are attacks everywhere, all the time—phishing, hackers, everything. It’s important that we all increase our awareness—without it turning into fear."
She refers to a previous incident where someone posed as the president and asked for funds.
"Even though no one reacted—thankfully—it gives you an unpleasant feeling of being scammed."
In the long term, both Gitte Bruun Jensen and Mikkel Sjølund Pieler hope that the library’s experiences can inspire the entire DTU.
"If our experience can help other units get started, then it’s already been worth it," concludes Gitte Bruun Jensen.
