Quishing and Phishing Scams Targeting Campus Community

Overview

As the winter break approaches, the ITS Security team wants to ensure our campus community has a safe and happy holiday season. Unfortunately, this time of year also brings an increase in cybersecurity threats. SF State has recently experienced multiple phishing scams targeted at our campus. These scams are particularly devious, as they aim to exploit campus members' goodwill and generosity.

With the introduction of quishing, QR Code phishing, attackers have found yet another way to trick people into sharing personal data through malicious QR codes. Be extra vigilant and protect yourself against these cyber grinches! If phishing, smishing, and vishing were not enough, quishing adds another layer of deception. Always verify URLs before entering sensitive information, and be cautious about scanning QR codes from untrusted sources.

What is Quishing? 

Quishing, or QR phishing, is a malicious QR code that can lead you to spoof websites or, even worse, prompt you to download harmful content. The goal is to steal sensitive information such as passwords, financial information, or personally identifiable information and use it for identity theft, financial fraud, or ransomware.

This type of phishing bypasses conventional defenses. Most end users perceive QR codes in emails as harmless images. QR codes are everywhere and often trusted without question. However, it is best to question the validity of any QR code you encounter for your safety. The best defense is cautious scanning and verifying the URLs before entering information. 

Phishing Scams 

Phishing scams continue to plague the campus community. If an offer appears too good to be true, it's likely a scam. 

• You can view official university job offers at https://hr.sfsu.edu/student-employment.
• Financial aid information is available at https://gateway.sfsu.edu/. 

No SF State official or related party will ever ask a student or employee to purchase or share gift card information, including the dollar amount, gift card number, or security code. If one encounters a request or message like this, it is a scam. Please ignore the request and report the message as soon as possible.

What You Can Do 

Be vigilant and help protect yourself with the following actions: 

1. If you can't tell whether a message is legitimate, please forward it to abuse@sfsu.edu for inspection or use the "Report Phishing Button" in Outlook. 
2. Do not click on links or attachments from recipients you do not recognize. Be especially wary of .zip files or other compressed or executable file types. 
3. Do not send sensitive personal information (like usernames and passwords) via email. If you receive an email asking you to take action involving your username and password, contact the sender by phone before doing so. 
4. Do not assume a "sfsu.edu" email address is from an SF State employee or student – especially if they ask for compensation (cash, credit card number, wire transfer, etc.). 
5. Additional phishing resources are on the ITS website at https://its.sfsu.edu/guides/phishing. 
6. Your SF State username and password combination should be unique to SF State and not used anywhere else. Do not re-use your SF State username and password combination on other services such as Facebook, online banking, TikTok, etc. If you are unsure if you have re-used your SF State password, change your password immediately. The link to change your SF State password is on the university home page. Select "Login" at the top right of the page. 
7. Watch for unusual activity in your email account. Such as email forwarding or if you may be receiving strange messages or seeing emails showing up in the items you sent that you did not personally send. If you see such activity, change your password immediately and contact the ITS Service Desk by emailing service@sfsu.edu, calling 415-338-1420, or submitting a ticket online. 

Thank you for taking precautions and vigilance when protecting your data here at SF State.