Reporting Spam and Phishing

The PhishMe Reporter is an add-on to Microsoft Outlook 2013 and 2016, Outlook Web Access (OWA), and the Outlook mobile client. It is the standard and preferred method to report spam and phishing email messages and should be used whenever possible. It will report the suspicious message to the SF State Information Security Team with all of the necessary information, and delete it from the users inbox at the same time.

Who can use PhishMe Reporter?

This add-on is enabled for faculty and staff.

How to Report Spam and Phishing

Add-ons such as the PhishMe Reporter are intended to be used with the primary email account in Outlook. Here are several workarounds:

  1. In Outlook, drag the offending message to the primary mailbox, and use the PhishMe button.
  2. In Outlook Web Access (OWA), "switch" into the shared mailbox account and then use the PhishMe button.
  3. Create a separate Outlook profile for the shared mailbox and log in to it using the delegated person credentials.
  1. Open or preview the message

  2. Select the Report Phishing button at the top of the Outlook window. Note: If you do not see a Report Phishing link it may be because your Outlook is missing some updates from Microsoft which adds a Report Phishing link in the same way as Outlook Web Access. If this is the case either follow the OWA instructions or update your Outlook application (Help > Check for Updates).
    Outlook Mac 2016 Report Phishing icon

  3. Check the correct message is being reported and select OK.
    Click OK to report this email to our Information Security Team.

  4. If the message was a part of the PhishMe training exercise you will receive the feedback shown below that states “Good job! This email was part of our immersive phishing awareness education. Thank you for staying vigilant!” Otherwise, your message will be forwarded (with full headers) to the ITS Security Team and to the Microsoft Online Protection team.
    Message that is received if the email was in fact phishing.

Instructions for Outlook for Windows users is under active development. In the interim please follow the instructions for Outlook Mac 2016.

  1. Open or preview the message

  2. If you are using the older version of OWA, select the Report Phishing icon as seen below:
    Old version of OWA Report Phishing icon 
    If you are using "The new Outlook", see below:

  3. Select the 3 dots to see the "More actions" menu choices
    The new Outlook 3 dots "More actions" menu choices

  4. Select the Report Phishing icon as shown below:
    New Outlook Report Phishing icon in long menu

  5. Check that the correct message is being reported and select OK.
    Click OK to report this email to our Information Security Team.

  6. If the message was a part of the PhishMe training exercise, you will receive the feedback shown below that reads, “Good job! This email was part of our immersive phishing awareness education. Thank you for staying vigilant!” Otherwise, your message will be forwarded (with full headers) to the ITS Security Team and to the Microsoft Online Protection team.
    Message received if the email was in fact phishing.

Outlook for iOS

Report Phishing in Outlook for iOS

Outlook for Android

Report Phishing in Outlook for Android

The following information details how to correctly report spam and phishing email sent to SF State email addresses.

Phishing Email from Internal, Compromised SF State Accounts

If a phishing/spam message originates from an internal, compromised SF State account, SF State should be notified. Compromised SF State accounts can only be resolved by SF State. Microsoft spam filtering does not scan messages sent from one SF State Exchange account to another. Please report compromised SF State accounts to the ITS Help Desk so we can stop the phishing message distribution as quickly as possible. To report compromised SF State accounts, forward a copy of the message with full headers to service@sfsu.edu.

Some messages are really spoofed messages: they look like they are from an internal account, but are actually sent using an external server. This can be identified from the message header. Spoofed messages should be reported to Microsoft. The ITS Help Desk can assist in identifying the spoofed messages.

Phishing Email from External Accounts

If the phishing/spam message originates from an external address/server, forward a copy of the message with full headers to abuse@sfsu.edu and abuse@messaging.microsoft.com. This will inform Microsoft who can add it to the block list.

Forwarding with Headers/As an Attachment

Use the following instructions to report spam/phishing to the correct address:

Information Security Awareness Program

The Information Security team has introduced an ongoing Information Security Awareness program for faculty and staff. This program is designed to help employees protect their sensitive information and that belonging to others. The program combines monthly advisory messages with phishing training exercises. For more information please see: Information Security Awareness program for faculty and staff.