Beware of new phishing scam

Hacker typing on a laptop

Be aware—malicious individuals are using email to pose as Vanderbilt leaders in an attempt to steal personal information and attack the institution.

A new such scam, in the form of an email with the subject line “Staff Pay and Benefits,” was reported on Wednesday, March 25. This phishing email has malicious intent. Please DO NOT click on any links, and delete the email from your mailbox.  

VUIT is seeing many instances of a type of email attack called “spear phishing” across the university. This tactic is a ramped-up version of “phishing,” which is something most users have become accustomed to and have learned to protect against.

Remember that phishing is a type of malicious activity where attackers trick a user into giving up credentials such as a password or valuable data. These attacks can occur via the phone or email and often involve placing a tempting and plausible link in an email, hoping the victim will click on it.

Spear phishing is a more sophisticated variation where the attacker pretends to be a specific individual who is trusted and legitimate and, often, in a leadership position. Lately, VUIT has seen numerous instances where the perpetrators have pretended to be Vanderbilt leaders.

VUIT continues to block as many examples of obvious malfeasance as possible from making it to employees’ inboxes, but bad actors continue to be more sophisticated in their efforts. Therefore, it is important for everyone to use the following tips to protect themselves and the university:

  • Remember that our leaders will use their official “” email addresses to conduct important Vanderbilt business. Always check the sender’s email address closely and make sure you recognize it.
  • Never click links in unfamiliar emails.
  • If there is any doubt, contact the sender or their staff using the telephone or instant messaging.
  • Avoid opening attachments unless you have verified the sender.
  • Be especially wary of unexpected communications that ask you to sign in, provide credentials, or provide other sensitive information.
  • Be alert to the fact that malicious parties often try to instill a sense of high urgency or close familiarity to catch you off guard.

If you believe you are the recipient of a phishing email, please forward it to