Protect yourself from identity theft and fraud


Vanderbilt University executives found themselves the targets of a spear phishing campaign at the beginning of January. Attackers sent a fraudulent email that appeared to be official to several department leaders, including executives in finance. With this email, phishers intended to conduct wire transfer fraud. While thankfully this attempt was thwarted, according to a report conducted by computer security blog Krebs on Security, the FBI estimates that criminals stole nearly $750 million via spear phishing and wire transfer fraud in the U.S. between October 2013 and August 2015.

Unlike a traditional phishing attack in which criminals rely on mathematical probability by casting a wide net, spear phishing campaigns target specific individuals with either privileged access to the corporate environment or access to valuable information. With this in mind, it is crucial that users become aware of phishers’ strategies and how to protect themselves.

With spear phishing, cyber criminals rely on publicly available information, such as organizational charts and social media posts, to identify and collect as much information as possible about their potential targets. Attackers then pose as trusted sources, usually as individuals or businesses with which the target is familiar, to send tailored phishing emails prompting the target to take some action. This action often involves seemingly harmless day-to-day tasks ranging from clicking on a link and providing credentials to opening an attachment; however, once the recipient of a phishing email realizes that the link or attachment was malicious, it is too late.

Vanderbilt IT recommends that you take the following precautions to avoid becoming victims of spear phishing campaigns:

  • Understand and control your digital footprint by limiting the personal information you share on public forums and social media.
  • Contact the sender directly to confirm that messages with attachments or links were indeed sent by them.
  • Report all suspicious emails to VUIT Security at