Phishing and Smishing Scams Target Students, Staff, and Faculty

Overview

SF State has experienced multiple phishing and smishing attacks targeted at faculty, staff, and students via compromised University email accounts, email spoofing, or SMS messages. As the Spring semester begins, ITS would like to spread security awareness to protect our campus community against cybersecurity criminals and approaches. We know your personal information and data’s importance, so we want to share situational awareness, information, and advisable actions to help keep those safe.

 

Fight the Phish

 

Phishing vs Smishing: How to Spot the Difference

There are multiple ways a cybercriminal may trick you into trusting them to obtain access to your private information. You should look out for two different approaches: phishing and smishing. 

 

Phishing

 As defined by the National Cybersecurity Alliance, “Phishing is when criminals use fake emails, social media posts, or direct messages with the goal of luring you to click on a bad link or download a malicious attachment. If you click on a phishing link or file, you can hand over your personal information to cybercriminals. A phishing scheme can also install malware onto your device.” You can read more information on phishing on the National Cybersecurity Alliance website.    

 

Smishing

“Smishing is a phishing message received via an SMS text message. Just like an email phishing attempt, scammers are targeting your sensitive information. Similar to what you might experience in your email, these messages use emotional triggers to entice you to interact with the links.” To read more information on smishing, consult the National Cybersecurity Alliance website.    

 

Phishing or smishing messages may contain links that navigate users to fake web pages. The scammers may ask the recipient to type in their username and password or display a page resembling the SF State Two-factor Authentication (2FA) or Single Sign-On (SSO) page. These messages appear legitimate, as they mimic a real alert email or text message, but they are indeed a scam.

 

If the offer appears too good to be true, it’s likely a scam. You can view official job offers on the SF State Human Resources website. Users can find official financial aid information on the Office of Student Financial Aid website. No SF State affiliate or representative will ever ask a student or an employee for personal, private, or financial matters via email or text (SMS) messages. Cybercriminals have recently been asking recipients to purchase or share gift card information, such as the dollar amount, gift card number, or gift card security code. SF State will NEVER ask anyone to purchase or use gift cards of any kind. If you encounter a request or message like this, ignore it and report it to ITS immediately. 

 

What You Can Do

Be vigilant and help protect yourself and your fellow Gators with the following actions.

  • If you’re unsure if an email message is legitimate, please forward it to abuse@sfsu.edu for inspection or use the Report Phishing button in Outlook.       
Report Phishing Button in Outlook
  • Do not click on links or attachments from recipients you do not recognize. Be especially wary of strange links in text messages or of .zip files or other compressed or executable file types that might be attached to an email. 
  • Do not provide sensitive personal information (like usernames and passwords) over email or text. If you receive a text/email asking you to take an action that involves your username and password, contact the sender by phone before doing so. 
  • Do not assume that a “sfsu.edu” email address or text message claiming to be an SF State employee or student is safe, especially if they’re asking for compensation (cash, credit card number, wire transfer, etc.).
  • Your SF State username and password combination should be unique to SF State and not used anywhere else. Do not re-use your SF State username and password combination on other services such as Facebook, online banking, TikTok, etc. If you are still determining if you have re-used your SF State password, change your password immediately. You can find the link to change your SF State password on the University home page. Select “Login” at the top right of the page.
  • Watch for unusual activity on both your phone and email account. If you see such activity, change your password immediately. Make sure you aren’t responding to strange text messages, and keep an eye out for emails being forwarded or showing up in your sent items that you did not personally send.
  • If you notice anything suspicious, contact the ITS Service Desk by emailing service@sfsu.edu, calling 415-338-1420, or submitting a ticket online. We’re always here to help.
  • Be sure and familiarize yourself with additional phishing resources provided on the ITS website at https://its.sfsu.edu/guides/phishing.

 

 

Scammers

 

Thank you for doing your part by staying vigilant and careful with your data and information at SF State. Our number one priority is keeping our community’s privacy private.