Phishing Guide


What is Phishing

Phishing is an attempt to acquire sensitive information by pretending to be a legitimate or trustworthy entity.  Phishing is typically carried out by e-mail (as a variant of spam) or via text messaging and may involve redirecting a user to a forged Website as well. "Spear-phishing" is an attack focused on a community of users.  


How to avoid being a phishing victim

Don't rely on forgeable credentials

Caller ID, text message IDs, and e-mail 'From:' and 'Reply To:' addresses can all be forged. Therefore, you cannot trust them as a source of verification. SF State will never ask you for sensitive data via e-mail.


Don't respond to messages you suspect may be phishing

E-mail 'From:' and 'Reply To:' addresses are often forged, stolen or created for the purposes of sending spam. Replying only indicates your e-mail address is valid. Don't click links in messages suspected to be a phishing attempt.


Use and enable browsers that are phishing aware

Security enhancements have been added to many popular web browsers. Beginning with Internet Explorer 7, Firefox 2.0 and Opera 9.x, these browsers have all implemented various anti-phishing measures. Make sure these features are enabled (most are on by default). This will significantly limit the probability that you are redirected to a fraudulent link within an e-mail message.


ID and password management

Phishers often use the account and password they obtain to access other systems where the same login and password are used. If you keep your ID and password the same on several systems (e.g., campus, bank, social networking sites), and you revealed your ID and password in a phishing attempt, change your password on all systems. Phishers will specifically target a location where they feel people may be more lax with their credentials rather than via a communication where their guard may be higher.


Be aware of false threats

Phishing messages commonly include threats (e.g., your e-mail being turned off) in an attempt to get recipients to act quickly, without thinking. If you think there is a possibility a 'threat' might be real, verify it before replying.


Manage your Internet identity

Scammers attempt to extract sensitive information from multiple sources. If posting your e-mail on a Web site, forum, etc. brings you no real benefit, consider whether it really needs to be public. If you use any kind of social networking site, review the site policy on sharing information and activate any privacy features the site provides.


How to report phishing and spam e-mail

Instructions for sending full headers using supported e-mail clients are available on the How to report spam and phishing e-mail sent to SF State e-mail addresses page. If you need assistance, please contact your local IT support or the ITS Help Desk at or 415.338.1420.


How to report a phishing/malicious Website

Instructions for reporting malicious Websites are available in the How to Report Phishing Websites Guide. If you need assistance, please contact your local IT support or the ITS Help Desk at or 415.338.1420.


What to do if you responded to a phishing attempt

  1. Immediately change your password (for SF State e-mail accounts: If you use the same password for more than one account, you must change each instance of your password.
  2. Run anti-virus software (see SF State's Anti-Virus page for more information on McAfee anti-virus software).
  3. Windows: Run all recommended anti-malware software. See SF State's Windows Software Downloads page for more information on these tools.
  4. In your e-mail application (e.g., Outlook, Thunderbird, Mac Mail, OWA), open your signature file and verify that nothing has been added.
  5. If you are unclear on how to perform any of these steps, contact your local IT support or the ITS service desk