Increased Phishing Risks For VCU Community

VCU is seeing a rapid increase in the sophistication of phishing tactics targeting our community. Recent scams are no longer limited to fake password pages. Attackers are now using more convincing methods, including fake party invitations, fake document signing requests, and legitimate Microsoft sign-in links.

We have observed two recent patterns that are worth noting:

1. Fake party invitations that install remote access software - Some phishing messages pretend to be invitations or event-related notices. These may include links or downloads that install remote monitoring and management (RMM) tools, such as ScreenConnect or similar software. These tools can give an attacker remote access to victims’ computers and, therefore, allow them to use those computers to send out more scams.

To protect ourselves, please be very suspicious of messages that meet the following criteria:

• Ask you to install software to view an invitation, RSVP, or open event details. This can come from people you know.
• Include unexpected installer files such as .msi or .exe
• Create urgency or pressure to act quickly

2. Fake document signing or attachment messages using Microsoft login flows - Other phishing messages appear to be DocuSign, Microsoft, SharePoint, OneDrive, or document signing requests. Some may open a real Microsoft sign-in page, but the process is still malicious.

In these scams, attackers may ask the victim to:

• Copy and paste a “verification code” into a legitimate Microsoft sign-in page
• Click a Microsoft login link included in an email that later redirects somewhere else
• Open a PowerPoint, PDF, or other attachment that sends you to a fake verification page
• Sign in to view or approve a document you were not expecting
• Even if the page uses login.microsoftonline.com, the request may still be part of a phishing attack.

Please stop and report the message if some of the following criteria are met:

• You were not expecting the document, invitation, or signing request
• The message asks you to install software
• You are asked to copy a code into a Microsoft sign-in page
• The link starts with Microsoft but redirects to an unrelated website
• The sender’s message feels unusual, rushed, or vague
• The attachment is unexpected, especially PowerPoint, HTML, or ZIP files.
• When in doubt, do not click further, do not enter a code, and do not install anything. Please report suspicious messages to phishing@vcu.edu
  When possible, use the “Report phishing” option in Gmail or forward the message as an attachment. Reporting helps VCU block the attack and protect others.