Watch Out for Phishing and Smishing Scams Targeting Campus Community

Overview

To protect our campus community against cybersecurity criminals, we are sharing situational awareness, information, and advisable actions. SF State has experienced multiple phishing and smishing scams targeting faculty, staff, and students via compromised university email accounts, spoofing, and SMS.

These messages appear legitimate but are indeed a scam, as they mimic what might be considered a real alert or message. Phishing or smishing messages may contain links that navigate end users to fake web pages. The scammers may ask the recipient to type in their username and password or display a page resembling the SF State Two-factor Authentication (2FA) or Single Sign-On (SSO) page.

As a reminder, if the offer appears too good to be true, it’s likely a scam. You can view official job opportunities at student employment or faculty, staff and managment opportunities . Financial aid information is available at https://gateway.sfsu.edu/. No SF State official or a related party will ever ask a student or employee to purchase or share gift card information, such as the dollar amount, gift card number, or security code. If one encounters a request or message like this, it is a scam and should be ignored and reported. 

What You Can Do

Be vigilant and help protect yourself with the following actions:

1. If you can’t tell whether a message is legitimate, please forward it to abuse@sfsu.edu for inspection or use the “Report Phishing Button” in Outlook.
2. Do not click on links or attachments from recipients you do not recognize. Be especially wary of .zip files or other compressed or executable file types. 
3. Do not provide sensitive personal information (like usernames and passwords) over email. If you receive an email asking you to take an action that involves your username and password, contact the sender by phone before doing so. 
4. Do not assume a “sfsu.edu” email address is from an SF State employee or student – especially if they ask for compensation (cash, credit card number, wire transfer, etc.).
5. Additional phishing resources are on the ITS website at https://its.sfsu.edu/guides/phishing. 
6. Your SF State username and password combination should be unique to SF State and not used anywhere else. Do not re-use your SF State username and password combination on other services such as Facebook, online banking, TikTok, etc. If you are still determining if you have re-used your SF State password, change your password immediately. The link to change your SF State password is on the university home page. Select “Login” at the top right of the page.
7. Watch for unusual activity in your email account. Such as email forwarding or if you may be receiving strange messages or seeing emails showing up in your sent items that you did not personally send. If you see such activity, change your password immediately and contact the ITS Service Desk by emailing service@sfsu.edu, calling 415-338-1420, or submitting a ticket online. 

Thank you for paying attention and being careful when protecting your data here at SF State.