These fraudulent emails or messages often appear to come from trusted sources within the University of Virginia, and sometimes even appear to be from an “@virginia.edu” email address. They ask the recipient to reply with sensitive information, such as login credentials or financial details, enter sensitive data into online forms, click suspicious links, or to download harmful attachments.
The University will never ask for your password or sensitive personal information via email.
What to Watch For:
- Requests for Sensitive Information via Email: Never share login credentials, bank details, or other sensitive information via email. Increasingly, these requests may start in email, but then ask you to fill out unfamiliar forms, text an unknown number, or pay for shipping to continue the scam.
- Unfamiliar Senders: Emails from unknown addresses or those that impersonate legitimate UVA entities.
- Urgent Subject Lines and Requests: Messages creating panic or pressuring you to act quickly, such as resetting your password or paying an invoice.
- Offers That Feel “Too Good to Be True”: Offers of large scholarships, funds, free pianos or tools, unexpected internships or jobs you didn’t apply for, or rewards. (If it sounds too generous, verify with a trusted resource before acting.)
- Suspicious Links: Hyperlinks that look odd or redirect to unexpected websites.
- Suspicious Authentication Requests: Unexpected Duo authentication prompts, or an alleged faculty or staff member asking you to authenticate/login in a way that’s different than normal.
- Suspicious Forms: Online forms asking for your login credentials, bank name or account number, password or Duo codes, and alternate phone number or email address.
- Suspicious Attachments: Unsolicited or unusual attachments. (Extra caution is needed for file extensions like .exe, .zip, or .doc.)
How to Protect Yourself:
- Verify Authenticity: Hover over links to inspect the URL before clicking. Confirm requests directly with the sender via a trusted method (such as an email address or phone number you know to be correct) and avoid responding to or engaging with suspicious messages. You can validate authenticity by using our UVA People Search tool at https://search.people.virginia.edu and reaching out to the sender directly using their official contact information.
- Report Suspected Phishing: Forward suspicious emails to abuse@virginia.edu for review. Report unexpected Duo authentication prompts as fraudulent, such as phone calls, SMS codes, or push requests as well.
- Stay Informed: Our Information Security (InfoSec) team offers a multitude of tips for spotting a fraudulent email as well as security policies and standards at https://security.virginia.edu/what-is-phishing.
Reminder:
If you believe your account has been compromised, please change your password immediately and contact our Information Security team at abuse@virginia.edu for assistance.