Virginia Tech® home

Phishing scams

Piles of credit cards with a fish hook on computer keyboard.

Phishing is one of the most common ways people get hacked.

The best way to avoid phishing is to know the signs. 

What is phishing? 

Phishing is the act of sending fraudulent emails or texts to try and get you to provide personal information (such as passwords), or to trick you into downloading malware. The fraudster's goal may be to hack your accounts, steal your money or identity, or install ransomware and then extort you into paying them to get your data back. 

In some cases, the message may even appear to be coming from someone you know or trust, like your employer, supervisor, friend, or a family member — this is called 'spear phishing.' 

Phishing attacks have gotten more sophisticated, so it's important to be on the lookout so that you don't fall victim to these scams. 

What to look for

  • Emails where the sender does not match the source of the email (e.g., email claiming to be from Virginia Tech, but which does not come from "@vt.edu")
  • Links in the email that do not match the actual URL destination
  • Requests for your username and password (Virginia Tech will never request your username or password via email, text, or phone)
  • Requests for personal information such as your birthdate or address
  • Email attachments you aren't expecting
  • Language patterns or requests that don't seem quite right
  • Offers for jobs or money if you provide information

Take a look at this video...it walks you through the spear phishing process and points out the signs.

Common phishing scams

  • Urgent requests to verify your account details or change your password (usually sending you to a form or fake login page)
  • Fake job offers
  • Alerts of a 'contagious illness' circulating your department
  • Gift card or bitcoin offers
  • Fake invoices or shipping notifications
  • Student debt relief scams

See examples of past phishing scams we've seen at Virginia Tech »  

What to do (and what not to do)

  • Slow down! Don't reply or click links on any email without assessing for signs of phishing. If something doesn't seem right, trust your gut. If needed, look at the message again on a larger screen; it's easier to miss red flags on a tiny phone screen.
  • Do not open attachments from senders that you do not recognize, or that you are not expecting to receive.
  • Do not reply to text, email, or pop-up messages asking you to reply with personal information. 
  • Hover over links to see their true destination (press and hold the link on mobile devices). 
  • Ask questions! Contact the agency or person directly (don't reply to the email or use a phone number provided in the email) to verify any message that makes any unexpected requests, or to verify attachments. 
  • Do not send money in any form (dollars, bitcoin, gift cards) to anyone without personally contacting them to make sure the request is legitimate.
  • Refuse to send money via wire transfer. No government agency will ever ask you to wire money.
  • Use privacy settings to restrict who can see and post on your social media profiles. Spear phishers often harvest information about their victims through social media. Limit your online friends to people you know.
  • Read more about how to protect yourself from phishing on the 4Help knowledge base.

Reporting phishes

  • If you receive a suspicious email, report it as a phish through your email service. By doing so, you help flag that sender, so they're less likely to pass spam filters.
  • If you realize you've gotten phished, stop interacting with the message or sender immediately. Change your passwords across your accounts and ensure you've enabled 2-factor authentication where possible. Consider reporting the fraud to the authories..
  • If you think your VT account may have been hacked, report the incident to the IT Security Office as soon as possible.