Division of Information Technology

Image: Photos of SF State students and scenes from around campus

 

Phishing

 

What is Phishing

Phishing is an attempt to acquire sensitive information by masquerading as a legitimate or trustworthy entity.  Phishing is typically carried out by e-mail (as a variant of spam) or via text messaging and may involve redirecting a user to a forged Website as well.   "Spear-phishing" is an attack focused on a community of users.  

 

How to avoid being a phishing victim

Don't rely on forgeable credentials

Caller ID, text message IDs, and e-mail 'From:' and 'Reply To:' addresses can all be forged. Therefore, you cannot trust them as a source of verification. SF State will never ask you for sensitive data via e-mail.

 

Don't respond to messages you suspect may be phishing

E-mail 'From:' and 'Reply To:' addresses are often forged, stolen or created for the purposes of sending spam. Replying only indicates your e-mail address is valid. Don't click links in messages suspected to be a phishing attempt.

 

Use and enable browsers that are phishing aware

Security enhancements have been added to many popular web browsers. Beginning with Internet Explorer 7, Firefox 2.0 and Opera 9.x , these browsers have all implemented various anti-phishing measures. Make sure these features are enabled (most are on by default). This will significantly limit the probability that you are redirected to a fraudulent link within an e-mail message.

 

ID and password management

Phishers often use the account and password they obtain to access other systems where the same login and password are used. If you keep your ID and password the same on several systems (e.g., campus, bank, social networking sites), and you revealed your ID and password in a phishing attempt, change your password on all systems. Phishers will specifically target a location where they feel people may be more lax with their credentials rather than via a communication where their guard may be higher.

 

Be aware of false threats

Phishing messages commonly include threats (e.g., your e-mail being turned off) in an attempt to get recipients to act quickly, without thinking. If you think there is a possibility a 'threat' might be real, verify it before replying.

 

Manage your Internet identity

Scammers attempt to extract sensitive information from multiple sources. If posting your e-mail on a Web site, forum, etc. brings you no real benefit, consider whether it really needs to be public. If you use any kind of social networking site, review the site policy on sharing information and activate any privacy features the site provides.

 

How to report a phishing attempt

For phishing attempts sent to SF State e-mail addresses, forward the entire message, including headers, to abuse@sfsu.edu. The easiest way to make sure you include message headers is to forward the message as an attachment. If you are unsure how to send a message as an attachment, please contact the DoIT Help Desk with the name of your e-mail program.

 

What to do if you responded to a phishing attempt

  1. Immediately change your password (for SF State e-mail accounts: www.sfsu.edu/password). If you use the same password for more than one account, you must change each instance of your password.
  2. Check to make sure there is no threat to your computer. Run both anti-virus and anti-malware software. (See SF State's Anti-Virus and Software Downloads pages for more information on these tools.)
  3. In your e-mail application (e.g., Outlook, Thunderbird, Mac Mail, OWA), open your signature file and verify that no links have been added.
  4. If you are unclear on how to perform any of these steps, contact your local IT support or the DoIT Help Desk.

 

SF State Home