- About phishing attacks
- Detect phishing attacks
- Report phishing attacks
- Preparing for phishing attacks
- For more information
Phishing attacks are the most common and effective cybersecurity threat to individuals and businesses. Most phishing messages indicate immediate action is needed to avoid an unwanted time-sensitive consequence. Be suspicious of all requests and review messages carefully to determine if the message may be a phishing scam.
Be suspicious of all requests. Ask, "Is this real?" Use the following checklist to check for common signs of phishing messages:
- Message indicates urgent action is needed
- Message indicates negative consequences will occur if action is not taken
- Message is not expected
- Message sender is not known
- Message cannot be read without opening an attachment
- Message requests sensitive information be sent
- Message directs users to "click here"
- Message uses poor grammar and/or spelling
- Sender from: name does not match message signature
- Sender email address does not match organization name
- Sender email address is not exactly the same as real address
- Sender name is not listed in campus directory
- Department name shown in message does not match A-Z listing
- Web site address (URL) of linked site does not match organization
- Message was not sent using SF State approved servers
If you receive a phishing message, please report it using the ‘Report Phishing’ link found in Outlook Web Access and Outlook 2013 and 2016 clients. The message will be reported to SF State’s Information Security Team and will also be forwarded the Microsoft’s Office365 Online Protection Service, which provides automated screening services for SF State’s faculty and staff email. If the message was part of a PhishMe training exercise you will receive a reply indicating you correctly identified it. If you are using a different email client, please forward the message with full headers to email@example.com.
If you believe you were already tricked by a phishing scam:
- Immediately change your password(s) using a different computer
- Scan your computer for malware that may have been introduced
- Report the incident by sending email to firstname.lastname@example.org
Convincing phishing messages will be periodically sent to employees to illustrate the ways phishing messages are designed to trick people. If you receive any phishing messages please report them following the instructions above. Results of phishing training exercises will be used to assist individuals who may need additional training.
The Information Security team has introduced an ongoing Information Security Awareness program for faculty and staff. This program is designed to help employees protect their sensitive information and that belonging to others. The program combines monthly advisory messages with phishing training exercises. For more information please see the Information Security Awareness program for faculty and staff guide at: https://its.sfsu.edu/guides/informationsecurityawarenessprogramfacultyan...