October 6, 2016

Ask before you click to avoid phishing scams

October is Cyber Security Awareness Month. The VUMC IT Security Operations team has put together information on the top threats for employees in the health care sector. This week the focus is on phishing emails.

Phishing attacks pose a threat to health care institutions in particular. Amid the heightened attention to this threat, VUMC IT has prepared this article to make you more aware about the dangers of an email phishing attack.

VUMC experiences a high number of phishing attempts. Payroll periods are especially vulnerable times. The Medical Center has also had phishing incidents regarding email limits and even required training. The following is some advice to follow to avoid having your credentials compromised, and possibly your identity or your money stolen.

What is phishing?

A phish is created to look like an official email. It can look like it is from a friend, a business or even your own organization. The email can come from a fake email address or from a real account that has already been compromised.

As a Medical Center employee, you might be especially vulnerable to a phishing attack because emails can be made to look like an official IT communication or a general Medical Center email. The attacker’s goal will likely be to steal your VUnetID and ePassword. Messages nearly always link to a site outside of the Medical Center and will ask you to submit your credentials.

Once attackers possess your credentials they can use your VUnetID and ePassword to use applications such as C2HR to change your bank routing information.  

How to avoid being phished

The best way to avoid being phished is to be vigilant about the emails you receive. In addition, secure your passwords and other personal information.


  1. Never click on links or open attachments from senders that you do not know. 
  2. Never give your credentials to anyone.

If there is a question about the legitimacy of an email, please contact the IT Help Desk, your independent IT support person, or Security Operations.

ays to spot a phishing email

There are a few tell-tale signs that an email is from an attacker. Here are some best practices to spot a phishing email:

  1. Check the sender’s email address to confirm the message is from a Medical Center or university employee (username@vanderbilt.edu) or a credible vendor.
  2. The Medical Center will never ask for your credentials within an email.
  3. Right click on the link within the email. This is usually the best way to tell if you are being led away from an official Medical Center page.
  4. Phishers add lines to emails to make them appear more like an official Vanderbilt communication. Examples include:
  • IT Help Desk
  • Division of Information Technology Help Desk Supervisor or User Services Support
  • ithelpdesk@vanderbilt.edu
  1. Check the spelling and grammar. Most phishing emails are poorly written.
  2. Most phishing sites will expose your password as you type it in.

What to do when you receive a phishing e-mail  

Act immediately:

  1. Call the help desk or your independent IT service provider to report the suspicious email. Follow their directions for what to do.

For now, phishing will be a persistent threat because it remains one of the easiest ways for attackers to obtain personal information. If you are ever unsure, the best thing to do is ask before you click.

For additional information about phishing and how to protect yourself, contact the Helpdesk at 3-HELP (615-343-4357) or email the Help Desk at helpdesk.vumc@vanderbilt.edu. The Help Desk can place a ticket with Security Operations for you.

Media Inquiries: Tracey Mayo Street, tracey.m.street@vanderbilt.edu