Protect yourself: Spear phishing attacks on the riseOct. 7, 2018, 2:29 PM
Be aware—malicious individuals are using email to pose as Vanderbilt leaders in an attempt to steal personal information and attack the institution.
In recent weeks, VUIT has seen many instances of a type of email attack called “spear phishing” across the university. This tactic is a ramped-up version of “phishing,” which is something most users have become accustomed to and have learned to protect against.
Remember that phishing is a type of malicious activity where attackers trick a user into giving up credentials such as a password or valuable data. These attacks can occur via the phone or email and often involve placing a tempting and plausible link in an email, hoping the victim will click on it.
Spear phishing is a more sophisticated variation where the attacker pretends to be a specific individual who is trusted and legitimate and, often, in a leadership position. Lately, VUIT has seen numerous instances where the perpetrators have pretended to be Vanderbilt leaders, such as the chancellor or provost. In these cases, and no doubt in others involving additional Vanderbilt leaders, part of the tactic has been to utilize a plausible-sounding email ID masquerading as a personal ID (for example: firstname.lastname@example.org).
VUIT continues to block as many examples of obvious malfeasance as possible from making it to employees’ inboxes, but bad actors continue to be more sophisticated in their efforts. Therefore, it is important for everyone to use the following tips to protect themselves and the university:
- Remember that our leaders will use their official “@vanderbilt.edu” email addresses to conduct important Vanderbilt business.
- Always check the sender’s email address closely and make sure you recognize it.
- Never click links in unfamiliar emails.
- If there is any doubt, contact the sender or their staff using the telephone or instant messaging.
- Avoid opening attachments unless you have verified the sender.
- Be especially wary of unexpected communications that ask you to sign in, provide credentials, or provide other sensitive information.
- Be alert to the fact that malicious parties often try to instill a sense of high urgency or close familiarity to catch you off guard.
- If you believe you are the recipient of a phishing email, please forward it to email@example.com.