Virginia Tech®home

Spear Phishing

Students using a laptop

Virginia Tech's IT Security Office has observed that the sophistication of 'phishing' and 'spear phishing' messages is increasing -- in some cases, the message may even appear to be coming from someone you know or trust, like your employer, supervisor, friend, or family member. Personal information or financial data gleaned from phishing attacks can compromise the security of an individual or organization’s assets and information.

What to look for

  • Emails where the sender does not match the source of the email (e.g., email claiming to be from Virginia Tech, but which does not come from vt.edu)
  • Links that do not match the actual URL destination
  • Requests for usernames and passwords (Virginia Tech will never request your username or password via email, text, or phone)
  • Unprompted requests to change or update passwords
  • Requests for personal information such as birthdates  
  • Unexpected attachments

What to do 

  • Do not send money in any form (dollars, bitcoin, gift cards) to anyone without personally contacting them to make sure the request is legitimate.
  • Refuse to send money via wire transfer. Call the person or the government agency using a known or published telephone number to get the real story and decide what to do. No government agency will ever ask you to wire money.
  • Use privacy settings to restrict who can see and post on your social media profiles. Limit your online friends to people you know.
  • Do not open attachments from senders that you do not recognize, or which you are not expecting to receive.
  • Do not reply to text, email, or pop-up messages asking you to reply with personal information. 
  • Mouse over links in emails to see their true destination (press and hold the link on mobile devices).
  • Ask questions: Contact the agency or person directly to verify email that makes any unexpected requests, and to verify attachments. 
  • Read more about how to protect yourself from phishing on the 4Help knowledge base.

If you receive a suspicious email, inform your IT departmental liaison. You should also resport suspicious emails to Outlook or Gmail.  Additionally, be sure to mark these messages as 'spam' or 'phishing.' By doing so, you enable another layer of protection that will block additional messages or malicious links from that sender, and help keep others safe as well.

Finally, if you think you may have been hacked, report the incident to the IT Security Office as soon as possible.