On July 10, VUIT implemented a change in Vanderbilt email that resulted in an [External] tag being added to the subject line of emails originating from outside of the central Vanderbilt email system. The change was implemented in response to a targeted phishing attack during which several Vanderbilt colleagues divulged their usernames and passwords.
“The external tag was a quick response to a specific and significant attack. We understand that while this has heightened awareness, it is by no means a perfect solution and has indeed resulted in some inconvenience,” said John Lutz, vice chancellor for information technology. “We are working with both leadership across Vanderbilt and with outside law enforcement agencies to subvert this and future phishing attacks and continue to evolve our overall security posture, which may include removal of the external tag. We appreciate your continued patience as we work internally.”
Some colleagues have reported challenges when sorting threaded conversations following the change. Vanderbilt IT has developed tips for managing emails now marked [External]. These tips are designed to help search and sort emails based on the subject line. Access the tips on the VUIT website.
Phishing is the practice of using email to lure unsuspecting Internet users to illegitimate websites. These email messages typically appear to be from legitimate organizations, but are designed to entice users to divulge passwords and financial or other personal information, or to introduce a virus into a computer or network.
The most recent attacks were more targeted, with some specifically directed at possibly high-earning individuals. “These attacks can be costly to individuals and to the university,” Lutz said. “We take these attempts seriously and will utilize all of our resources, including outside agencies, to continue to manage an open yet secure environment.”
Additional security measures are in process, including exploration of additional verification measures, increased communication to promote awareness and additional training opportunities. In the meantime, VUIT urges campus users to remain vigilant and offers the following suggestions:
- No entity at Vanderbilt will ask for your credentials, including ePassword verification, via email. Any email requesting you to do so should be treated as a potential phishing attack.
- VUIT will never ask you to modify your inbox or adapt security measures via an email link. Any email requesting you to do so should be treated as a potential phishing attack.
- If you receive an email tagged [External], please exercise caution in dealing with its content. The [External] tag may have some inconsistencies, some of which have been addressed.
- Be aware that attacks can also come from Vanderbilt addresses that have been “spoofed” by phishers.
- If you receive an email, either from an external or internal contact that you suspect may be a phishing attempt, please notify the VUIT Help Desk.
The Help Desk may ask you to send a copy or screen shot of the suspect email.
If you have questions or concerns regarding email sorting, suspicious email, links or websites, check with your local support provider or any of the following before clicking on suspect links.
VUIT Help Desk: 343-9999, http://it.vanderbilt.edu/helpdesk/vu/index.php
VUMC Help Desk: 343-HELP, http://helpdesk.mc.vanderbilt.edu
It is important to report suspect activity as soon as possible.