Security Advisory – Phishing

About phishing attacks

Phishing attacks are the most common and effective cybersecurity threat to individuals and businesses. Most phishing messages indicate immediate action is needed to avoid an unwanted time-sensitive consequence. Be suspicious of all requests and review messages carefully to determine if the message may be a phishing scam.

Detect phishing attacks

Be suspicious of all requests. Ask, "Is this real?" Use the following checklist to check for common signs of phishing messages:

  1. Message indicates urgent action is needed
  2. Message indicates negative consequences will occur if action is not taken
  3. Message is not expected
  4. Message sender is not known
  5. Message cannot be read without opening an attachment
  6. Message requests sensitive information be sent
  7. Message directs users to "click here"
  8. Message uses poor grammar and/or spelling
  9. Sender from: name does not match message signature
  10. Sender email address does not match organization name
  11. Sender email address is not exactly the same as real address
  12. Sender name is not listed in campus directory
  13. Department name shown in message does not match A-Z listing
  14. Web site address (URL) of linked site does not match organization
  15. Message was not sent using SF State approved servers

Report phishing attacks

If you receive a phishing message, please report it using the ‘Report Phishing’ link found in Outlook Web Access and Outlook 2013 and 2016 clients. The message will be reported to SF State’s Information Security Team and will also be forwarded the Microsoft’s Office365 Online Protection Service, which provides automated screening services for SF State’s faculty and staff email. If the message was part of a PhishMe training exercise you will receive a reply indicating you correctly identified it. If you are using a different email client, please forward the message with full headers to

If you believe you were already tricked by a phishing scam:

  1. Immediately change your password(s) using a different computer
  2. Scan your computer for malware that may have been introduced
  3. Report the incident by sending email to

Preparing for phishing attacks

Convincing phishing messages will be periodically sent to employees to illustrate the ways phishing messages are designed to trick people. If you receive any phishing messages please report them following the instructions above. Results of phishing training exercises will be used to assist individuals who may need additional training.

For more information

The Information Security team has introduced an ongoing Information Security Awareness program for faculty and staff. This program is designed to help employees protect their sensitive information and that belonging to others. The program combines monthly advisory messages with phishing training exercises. For more information please see the Information Security Awareness program for faculty and staff guide at: