Phishing Guide

What is Phishing

Phishing is an attempt to acquire sensitive information by pretending to be a legitimate or trustworthy entity. Phishing is typically carried out by email (as a variant of spam) or via text messaging and may involve redirecting a user to a forged Website as well. "Spear-phishing" is an attack focused on a community of users.


How to avoid being a phishing victim

Don't rely on forgeable credentials

Caller ID, text message IDs, and email 'From:' and 'Reply To:' addresses can all be forged. Therefore, you cannot trust them as a source of verification. SF State will never ask you for sensitive data via email.

Don't respond to messages you suspect may be phishing

Email 'From:' and 'Reply To:' addresses are often forged, stolen or created for the purposes of sending spam. Replying only indicates your email address is valid. Don't click links in messages suspected to be a phishing attempt.

Use and enable browsers that are phishing aware

Security enhancements have been added to many popular web browsers. Beginning with Internet Explorer 7, Firefox 2.0 and Opera 9.x, these browsers have all implemented various anti-phishing measures. Make sure these features are enabled (most are on by default). This will significantly limit the probability that you are redirected to a fraudulent link within an email message.

ID and password management

Phishers often use the account and password they obtain to access other systems where the same login and password are used. If you keep your ID and password the same on several systems (e.g., campus, bank, social networking sites), and you revealed your ID and password in a phishing attempt, change your password on all systems. Phishers will specifically target a location where they feel people may be more lax with their credentials rather than via a communication where their guard may be higher.

Be aware of false threats

Phishing messages commonly include threats (e.g., your email being turned off) in an attempt to get recipients to act quickly, without thinking. If you think there is a possibility a 'threat' might be real, verify it before replying.

Manage your Internet identity

Scammers attempt to extract sensitive information from multiple sources. If posting your email on a Web site, forum, etc. brings you no real benefit, consider whether it really needs to be public. If you use any kind of social networking site, review the site policy on sharing information and activate any privacy features the site provides.

How to report phishing and spam email

Instructions for sending full headers using supported email clients are available on the Reporting Spam and Phishing page. If you need assistance, please contact your local IT support or the ITS Help Desk at or 415.338.1420.

How to report a phishing/malicious Website

Instructions for reporting malicious Websites are available in the How to Report Phishing Websites Guide. If you need assistance, please contact your local IT support or the ITS Help Desk at or 415.338.1420.

What to do if you responded to a phishing attempt

  1. Immediately change your password (for SF State email accounts: If you use the same password for more than one account, you must change each instance of your password.
  2. Run anti-virus software (see SF State's McAfee Anti-Virus Software Guide).
  3. Windows: Run all recommended anti-malware software. See SF State's Windows Software Downloads page for more information on these tools.
  4. In your email application (e.g., Outlook, OWA), open your signature file and verify that nothing has been added.
  5. If you are unclear on how to perform any of these steps, contact your local IT support or the ITS service desk.