Skip to Main Content

Information Security Information Resources & Technology

Support Page Content

Phishing Awareness

Phishing attacks and cyber crimes continue to rise, and our goal is to empower you to identify, report, and not fall victim to digital scammers.

From 24/7 monitoring, ongoing education including periodic Cofense PhishMe training exercises, University-wide use of Duo multi-factor authentication, advising you to use Global Protect VPN to access campus services, sending timely phishing alerts through SacSend, and resource sharing from the National Cybersecurity Alliance, we're committed to keeping our Hornet Family safe online!

Something Phishy? Report it!

ASI President Nataly Andrade–Dominguez shares the ways you can quickly report campus cyber scams:

Types of Phishing

The National Cybersecurity Alliance offers a full library of topic-specific cybersecurity resources you can download - but in general, look for these tip-offs that what you've received may be a scam:

  • Feels suspicious/out of left field. If you're not expecting this type of message, don't recognize the sender, or you've never received correspondence like it before.
  • Urgent or emotionally appealing language or threats, to get you to act quickly.
  • Unexpected attachments or vague links to "click here." Untrusted shortened URLs are another tip-off.
  • Asks you to reply with personal/confidential/financial information, such as your ID or password, or to click a link to submit personal information.
  • Email address doesn’t match the sender: for example, official Sac State communications will only come from email addresses. Careful though - addresses can be spoofed, so pay careful attention to the message content for clues.
  • Generic email salutation instead of your name, or an incorrect recipient, or "Dear User."
  • The “From” field has a .com, .org, or .net address, not a name ("Bob Smith") or specific group (“Office of the President”).
  • Contains typos and grammatical errors

Emails/Texts/Phone Calls

Phishing schemes are correspondence designed to steal from you. They often look or sound official, with familiar logos or messaging, and will try to trick you into giving up information that can be later used in scams. We may open what we thought was a safe email, attachment or image only to find ourselves exposed to malware or a scammer looking for our personal data.

Phishing is more than just email, it's also arriving through:

  • Phone calls (spoofed calls, voice phishing or "vishing"), and/or
  • Text messages (SMS phishing or smishing)


A QR code (Quick Reponse Code) is a two-dimensional barcode that can store various types of data. It's often used for click-and-go access to websites, apps, or information when the user scans it with their smartphone camera.

QR code scams often send recipients to fake log in pages in order to steal their password. The messages/QR codes may promise discounts, rewards, or request personal or sensitive information. Scanning a QR code used in a phishing scam redirects users to a malicious website, or may even download malware onto their device. Be wary of this either in digital (or print) situations, such as job boards, event promotions, and more.


Spoofing is when a scammer deliberately falsifies the information transmitted to your caller ID display to disguise their identity. Scammers often use spoofing numbers so it appears that an incoming call is coming from a local number, or spoof a number from a company or a government agency that you may already know and trust. If you answer, they use scam scripts to try to steal your money or valuable personal information, which can be used in fraudulent activity.


Unlike phishing, which is a broad net cast to large groups of people, spearphishing is a targeted attempt to steal your sensitive information through messages that appear to come from someone you may know. Spear-phishing attackers find their victims by scanning social networking sites and gathering an individual's email address, friends list, geographic location, and any posts about new gadgets that were recently purchased. The attacker then uses this information to act as a friend or a familiar entity and send a convincing but fraudulent message to their target asking them to open a malicious attachment or click on a link that takes them to a spoofed website to provide passwords, account numbers, PINs, and/or access codes. Spearfishing is the most successful form of acquiring confidential information on the internet, accounting for 91% of attacks.

Advance-Fee Scam

An advance-fee scam is a form of fraud and is one of the most common types of confidence tricks. The Federal Bureau of Investigation (FBI) defines an advance-fee scam as "when a victim pays money to someone in anticipation of receiving something of greater value - such as a loan, contract, investment, or gift - and then receives little or nothing in return."

The scam typically involves promises a victim a significant share of a large sum of money, in return for a small up-front payment, which the scammer claims will be used to obtain the large sum. When a victim makes the payment, the scammer either invents a series of further fees for the victim to pay or simply disappears.

Duo Flooding

Multifactor authentication with Duo is a great protection against unauthorized access, but if your Sac State account becomes compromised, hackers may attempt to send you Duo push notifications you didn't originate in the hopes that you'll accept and allow them to gain access to campus systems as "you." If you receive a Duo push notification you did not originate, follow these steps:

  1. Press the deny button, then click "yes" to report it as a suspicious login.
  2. Change your password ASAP to something completely different at

Current Scams

Fresh Phish: Beware of These Phishing Scams

The most common scams impacting students include "fake jobs" that sound too good to be true, or involve financial aid theft. These spearfishing scams occur especially during financial aid disbursement timeframes, and specifically try to trick students into providing their federal student aid login credentials.

Providing personally identifiable information (PII) through a "job application" or spearfishing attack can lead to further unwanted activity, account compromise, and financial aid theft. The University and legitimate businesses will never ask for this type of information in emails.

Here are current (and some ongoing) phishing attacks against campus accounts. We’ll keep this list updated, so check back whenever you wonder whether a new, widespread scam may be occurring.

  1. Office 365 "Account Termination"
  2. Fake Job and Computer Purchase
  3. "Duo flooding" - Duo push notifications you didn't originate
  4. Spoofed "Sacramento State Phone Call" Scam
  5. Fake Job Opportunity

Report Suspected Phishing

Received something phishy? Now comes the important part — reporting it so we can do some detective work to protect you and our entire campus community from further damage.

Do not click any links or open any attachments (they may contain viruses or malware), and report the message immediately in either of these ways:

  1. Built-In PhishMe Reporter Tool in Outlook
    You can quickly report suspicious emails directly through your University Outlook menu using the PhishMe Reporter tool - it automatically generates a report to the IRT Information Security Office team.

  2. Email the IRT Information Security Office
  • Open a new email message to ""
  • Drag and drop the suspicious message into the body of the new message as an attachment
  • Add a subject line such as "possible phishing email" and click send

Lastly, delete the message. Don’t reply or click on any attachment or link, including any “unsubscribe” link. The unsubscribe button could also carry a link used for phishing.

Victim of Phishing? What to Do Next

Oops! If you've clicked something in a phishing message and/or provided any credentials, we recommend you:

  1. Immediately change your SacLink account password at, and then
  2. Alert the IRT Service Desk Team at or (916) 278-7337.

Internet of Things (IoT)

The Internet of Things (IoT) sounds Sci-Fi, but you know them as Alexa, your iPhone/Android, or a Ring front door camera. IoT devices interconnect our work and home worlds, and have truly become extensions of ourselves. Not securing them is what hackers count on when they try to steal your identity. The National Cybersecurity Alliance shares these tips on how to lock down your IoT devices.

Other Ways to Protect your Account

Sacramento State also participates in 2-Step Verification with Duo, which provides extra account protection even if an attacker gains access to your password. As a security best practice, all Faculty, Staff, and Students are required to enroll and use Duo to protect their account and identity.

As an additional security best practice, be sure to download and use Global Protect Virtual Private Network (VPN), which protects your connection whether on- or off-campus - and is especially important if you’re using an unsecure public Wi-Fi connection.


cyber-awareness-month-champion-badge.jpgProtecting the Hornet Hive! Every October, Sacramento State serves as a champion of National Cybersecurity Awareness Month which features educational campaigns, resources, and tips on how to out-trick hackers.

Each week, we've shared specific messaging with campus audiences through SacSend broadcast emails and social media to increase awareness of what to look for and to empower every Hornet to never fall victim to phishing schemes:

Campus Phishing Awareness Campaigns

We partner with Cofense PhishMe to provide phishing training to help our campus community recognize, report, and delete email phishing messages. We periodically send test Cofense PhishMe training emails to your Sac State account that mimic phishing emails typically targeting our Hornet Family. You can see how we're doing as a campus in past training exercises.

PhishMe Campaign Results