June 21, 2016

Protect yourself against phishing attacks

Phishing attacks continue to pose threats to health care and education institutions in particular. Amid this heightened awareness to online security, VUMC IT has compiled the following information about what a phish looks like, common techniques used by attackers after an account is compromised and best practices to protect yourself from becoming a victim of phishing.

The simplest way to protect yourself from a phishing attack is by securing your passwords and other personal information. Many times though, emails and websites appear to be legitimate, and we end up handing over the keys to our accounts ourselves.

A phish is made to look like an official email, be it from a friend, a business or even an organization. The email can come from a phony email address that may only be one or two characters different from the real account, or it can come from a real account that has already been compromised.

Among the many entities from which they pretend to originate, a phish can be made to look like an official VUMC IT or general Vanderbilt email. In this case, the attacker’s goal will likely be to steal your VUnetID and ePassword. The message might state that your email box is full and that credentials need to be submitted to increase quota size before directing you to a webpage that will be made to look like a popular site, such as Amazon or iTunes, hosted on an external domain. Regardless of the type of phish, it will nearly always link to a site outside of Vanderbilt and ask for credentials to be submitted to the site.

Once attackers possess your credentials and your account is compromised, phishers can hide their activities through redirecting, deleting or forwarding emails that may catch your attention. In other words, you will not see any change to your account and will not know that there is someone else accessing your information. Even more damaging, they could use your VUnetID, ePassword, and security questions to use applications, such as C2HR, to change your bank routing information or access W2 tax information. (NOTE: In such cases, contact the IRS to alert of impending tax fraud and begin to monitor your credit. Credit monitoring may offer additional protections from fraud and identity theft.)

If there is ever a question about the legitimacy of an email, please contact the IT help desk, your local support person or Security Operations in order to verify legitimacy.

Remember:

  • Never give your ePassword to anyone.
  • Never click on links or open attachments in emails unless you verify that the sender is who he or she claims to be and acknowledges sending the email.

For additional general information about phishing and how to protect yourself, please contact VUMC IT Incident Response at vumcit.incident.response@vanderbilt.edu.