Virginia Tech® home

Tips and best practices to avoid phishing attacks

October is Cybersecurity Awareness Month, and the IT Security Office (ITSO) reminds the university community to remain vigilant about phishing attempts. These fraudulent email or text messages attempt to trick recipients into disclosing personal information, such as passwords or account numbers, or to deploy malicious software such as ransomware. 

Phishing tactics have become more sophisticated in recent years, making fraudulent messages harder to identify. Known as “spear phishing,” a message may appear to come from a work colleague, friend, family member, or trusted organization. 

The ITSO says that the bad actors behind these “spear phishing” attempts are relying on us to respond to these emails without questioning them, which can happen easily during a busy day. They urge members of the Virginia Tech community to become familiar with red flags that indicate a possible phishing attempt, and to take time to investigate and report suspicious messages.

What to look out for

  • Messages that request personal information. Be suspicious of any message asking you for a username or password, birthdate, account number, or other sensitive information — no matter who it appears to be from. Virginia Tech will never request your VT username or passphrase from you. 
  • Messages that want you to act now...or else. Phishing attempts often use scare tactics or a sense of urgency to extract information from recipients. For example, a message from a bank that threatens to close your account unless you provide your account number is very likely a phish. 
  • Unexpected attachments or document shares. Be wary of attachments to any email, particularly if you are not expecting them. As use of cloud services increases, phishing attempts that mimic a document share are also on the rise. Verify independently that the attachment or share is legitimate.

What to do if you receive a suspicious email 

  • Do not reply to the message. Contact the person who appears to be the sender directly if you wish to verify that the message is legitimate. Otherwise, report the suspicious message to your email provider.
  • Do not click any links or open attachments. Examine the URL before opening a link by hovering over the link (on a mobile device, press and hold the link) to discover its true destination. If the URL doesn’t look right, it probably isn’t. 
  • Check the sender’s email address. Fraudulent emails may use the name of a real person, but their email address will often come from outside the organization. For example, a phish might use “” in the email name line, but the email address actually comes from a phony address(i.e., “”). 
  • Report the email. Follow these instructions to report phishing within Outlook or Gmail.

The Division of IT offers several resources to help Virginia Tech students, faculty, and staff protect themselves against phishing and other cyber attacks:

In addition, the ITSO offers several cybersecurity awareness training programs for Virginia Tech students, employees, and departments.

For more information about cybersecurity best practices, or if you have any questions or need IT support, please visit or call the Help Desk at 540-231-4357.

Share this page