What is phishing?

Phishing occurs when someone attempts to use electronic communication such as email to fraudulently acquire confidential information such as your password by pretending to be a trusted person or part of a trusted group.

---

How does phishing work?

Phishing is a form of social engineering, the art of manipulating people into sharing confidential information or performing a desired action. Phishing attacks are most commonly transmitted via email, but they are also transmitted via:

• Instant messaging
• Social media websites such as Facebook, MySpace and Twitter

The communication may:

• Ask you to reply with specific information
• Ask you to visit a web page, then ask you to share specific information, ask you to install software or attempt to infect your computer
• Ask you to call a phone number, which will ask you to share specific information

---

What might the phisher ask for?

• Your password
• Account number, card number, PIN, access code
• Personally identifiable information like your date of birth, Social Security number or address
• Confidential VCU information like student records, financial records or technical information

---

How will they encourage me to share it?

Phishers typically present a plausible scenario and often take advantage of the recipient's fear, greed or lust. They also often present a sense of urgency. Examples include messages that:

• Tell you that your account was misused by you and will be disabled
• Tell you that your account was compromised and will be disabled

---

Spear phishing - targeted phishing

Spear phishing describes a highly targeted phishing attack. Spear phishing is more successful because the message appears to come from a known and trusted individual, contains information which supports its validity and includes a request with a logical basis. The message may address you by name and it may include your job title, phone number or other personal information which was collected from websites or other sources.

---

Signs of a potential phishing attack

If the communication you receive exhibits any of the following, it may be a phishing attack.

• You are asked for confidential information
• You are asked to visit a web page with a suspicious or unexpected address
• You do not recognize the sender or the sender does not normally contact you
• You recognize the sender, but the sender's email address, alias or name spelling are unusual
• You're told something negative will occur if you don't supply the requested information
• The writing style is unusual

How to protect yourself

• Ask yourself whether you should be sharing the information requested
• If the supposed sender is someone known to you, contact them to discuss the request
• Use a browser that alerts you when you attempt to visit known phishing websites
• Before you click a link, inspect it
• If unsure of a link's authenticity, use a link you know or find the link via a search engine

What to do if you receive a phishing communication

Never respond to an unsolicited email or other electronic communication with personal information before obtaining independent verification that the request is legitimate.

If you receive a phishing attempt that was sent from a VCU account or claims to have been sent by someone at VCU, report it to the Technology Services Help Desk. You may report all other phishing attempts to the Anti-Phishing Working Group.