Overview
As we prepare for the start of the 2024 spring semester, the ITS Security Team would like to remind you to use protection! Please help protect yourself, your devices, and our campus community against cybersecurity criminals and their attacks. To help with this, we'd like to share some situational awareness, information, and advisable actions you can take to keep your data and information safe. SF State has recently experienced multiple phishing and smishing scams targeting our Gator students and staff via compromised university email accounts, email spoofing, and text messages (SMS).
The image below shows an example of a credential phishing email sent last November to various SF State email addresses.
Recipients who clicked the "Review Messages" link received instructions to enter their user ID, password, and Duo passcode. Once privy to the user's information, the cybercriminal could update the unaware end user's direct deposit information to reroute to an offshore bank. Fortunately, the ITS Security and Human Resources Teams were able to identify the threat and revert the changes before any extensive damage could take place.
The below screenshot is a recent example of a fake job offer.
If the offer appears too good to be true, it's likely a scam. Those interested in official job offers can find them listed at https://hr.sfsu.edu/student-employment.Financial. Financial aid information is available at https://gateway.sfsu.edu/. At no point will an SF State official or a related party ever ask a student or employee to provide personal or financial information via email or ask you to purchase or share gift card information. If one encounters a request or message like this, it is a scam and should be ignored and reported.
What You Can Do
Be vigilant and help protect yourself with the following actions:
- If you are unsure if a message is legitimate, please forward it to abuse@sfsu.edu for inspection or use the Report Phishing Button in Outlook.
- Do not click on links or attachments from recipients you do not recognize. Be especially wary of .zip files or other compressed or executable file types.
- Do not provide sensitive personal information (like usernames and passwords) over email. If you receive an email asking you to take an action that involves your username and password, contact the sender by phone before doing so.
- Do not assume a "sfsu.edu" email address is from an SF State employee or student – especially if the sender asks for compensation (cash, credit card number, wire transfer, etc.).
- Stay aware and review our additional phishing resources on the ITS website at https://its.sfsu.edu/guides/phishing.
- Your SF State username and password combination should be unique to SF State and not used anywhere else. Do not re-use your SF State username and password combination on other services such as Facebook, online banking, TikTok, etc. If you are unsure if you have re-used your SF State password, change your password immediately. The link to change your SF State password is on the University home page. Select "Login" at the top right of the page.
- Watch for any unusual activity in your email account. Some examples may include email forwarding, receiving strange messages, or seeing emails showing up in your sent items that you did not personally send. If you see such activity, change your password immediately and contact the ITS Service Desk by emailing service@sfsu.edu, calling 415-338-1420, or submitting a ticket online.
Thank you for being vigilant, paying attention, and being careful when protecting your data here at SF State. Our Gator community appreciates your efforts.
Please have a safe and secure start to your Spring 2024 semester.