Spear phishing awareness: Don’t take the bait!
Recently, Virginia Tech's IT Security Office has observed that the sophistication of these 'spear phishing' messages is increasing -- in some cases, the message may even appear to be coming from someone you know or trust, like your employer, supervisor, friend, or family member. Personal information or financial data gleaned from spear phishing attacks can compromise the security of an individual or organization’s assets and information.
What to look for
- Emails where the sender does not match the source of the email (e.g., email claiming to be from Virginia Tech, but which does not come from vt.edu)
- Links that do not match the actual URL destination
- Requests for usernames and passwords
- Unprompted requests to change or update passwords
- Requests for personal information such as birthdates
- Unexpected attachments
What to do
- Don’t send money in any form (dollars, bitcoin, gift cards) to anyone without personally contacting them to make sure the request is legitimate.
- Refuse to send money via wire transfer. Call the person or the government agency using a known or published telephone number to get the real story and decide what to do. No government agency will ever ask you to wire money.
- Use privacy settings to restrict who can see and post on your social media profiles. Limit your online friends to people you know.
- Do not open attachments from senders that you do not recognize, or which you are not expecting to receive.
- Don’t reply to text, email, or pop-up messages asking you to reply with personal information.
- Mouse over links in emails to see their true destination.
- Ask questions: Contact the agency or person directly to verify email that makes any unexpected requests, and to verify attachments.
If you receive a suspicious email, you should inform your IT departmental liaison. You should also forward suspicious emails to email@example.com and firstname.lastname@example.org. When doing this, be sure to include the email header, which helps our security personnel track down and block messages at or near their source. Additionally, be sure to mark these messages as 'spam' or 'phishing' inside your email client (e.g., Outlook, Gmail). By doing so, you enable another layer of protection that will block additional messages or malicious links from that sender, and help keep others safe as well.