Spear phishing awareness: Don’t take the bait!

From: Division of Information Technology

Two Virginia Tech students work together on a laptop.

Spear phishing is a fraudulent electronic communication that attempts to gather personal information or money from a specific individual or organization. Recently, Virginia Tech's IT Security Office has observed that the sophistication of these messages is increasing -- in some cases, a message may appear to be coming from someone you know or trust, like an employer, supervisor, friend, or family member. Personal information or financial data gleaned from spear phishing can compromise the security of individual or organizational assets and information.

What to look for

  • Emails where the sender does not match the source of the email (e.g., email claiming to be from Virginia Tech, but which does not come from vt.edu)
  • Links that do not match the actual URL destination
  • Requests for usernames and passwords
  • Unprompted requests to change or update passwords
  • Requests for personal information such as birthdates  
  • Unexpected attachments

What to do

  • Don’t send money in any form (dollars, bitcoin, gift cards) to anyone without personally contacting them to make sure the request is legitimate.
  • Refuse to send money via wire transfer. Call the person or the government agency using a known or published telephone number to get the real story and decide what to do. No government agency will ever ask you to wire money.
  • Use privacy settings to restrict who can see and post on your social media profiles. Limit your online friends to people you know.
  • Do not open attachments from senders that you do not recognize, or which you are not expecting to receive.
  • Don’t reply to text, email, or pop-up messages asking you to reply with personal information.
  • Mouse over links in emails to see their true destination.
  • Ask questions: Contact the agency or person directly to verify email that makes any unexpected requests, and to verify attachments. 

If you receive a suspicious email, you should inform your IT departmental liaison. You should also forward suspicious emails to abuse@vt.edu and itso@vt.edu. When doing this, be sure to include the email header, which helps our security personnel track down and block messages at or near their source. Additionally, be sure to mark these messages as 'spam' or 'phishing' inside your email client (e.g., Outlook, Gmail). By doing so, you enable another layer of protection that will block additional messages or malicious links from that sender, and help keep others safe as well.

To learn more

Virginia Tech departments can learn more about how to detect phishing scams by requesting departmental security awareness training via the 4Help service catalog.

You can also check out this article on 'How to protect yourself from phishing attacks' in the 4Help Knowledge Base  

From the Federal Trade Commission (FTC): Learn about recent scams and how to recognize the warning signs - https://www.consumer.ftc.gov/features/scam-alerts

From the Consumer Federation: Fraud Videos and Tips - https://consumerfed.org/in_the_media/fraud-videos-and-audio/

And to see if you are susceptible to being phished, take the Google Phishing Quiz.