Support Page Content
Phishing attacks and cyber crimes continue to rise, and our goal is to empower you to identify, report, and not fall victim to digital scammers.
From 24/7 monitoring, ongoing education including periodic Cofense PhishMe training exercises, supporting Duo multi-factor authentication University-wide, advising you to use Global Protect VPN to access campus services, sending timely phishing alerts through SacSend, and resource sharing from the National Cybersecurity Alliance, we're committed to keeping our Hornet Family safe online!
Types of Phishing
Phishing schemes are correspondence designed to steal from you. They often look official, with familiar logos or messaging, and will try to trick you into giving up information that can be later used in scams. You can usually identify a phishing attempt because they convey urgency, make claims or threats about the security of your account, ask for confidential information, or just seem suspicious. Phishing isn't just through email, it's also arriving through:
- Phone calls (spoofed calls, voice phishing or vishing), and/or
- Text messages (SMS phishing or smishing)
The National Cybersecurity Alliance makes it easy with a full library of topic-specific cybersecurity resources you can download - but in general, look for these signs:
- Asks you to reply with personal information, such as your ID or password, or to click a link to submit personal information.
- Email address doesn’t match the sender: for example, official Sac State communications will only come from @csus.edu email addresses.
- Generic email salutation instead of your name, or an incorrect recipient, or "Dear User."
- The “From” field has a .com, .org, or .net address, not a name ("Bob Smith") or specific group (“Office of the President”).
- Contains typos and grammatical errors
Common attacks via campus email includes financial aid scams, “fake job” offers, tax season attacks, and scammers taking advantage of those working remotely during COVID-19.
Spoofing is when a scammer deliberately falsifies the information transmitted to your caller ID display to disguise their identity. Scammers often use spoofing numbers so it appears that an incoming call is coming from a local number, or spoof a number from a company or a government agency that you may already know and trust. If you answer, they use scam scripts to try to steal your money or valuable personal information, which can be used in fraudulent activity.
Unlike phishing, which is a broad net cast to large groups of people, spearphishing is a targeted attempt to steal your sensitive information through messages that appear to come from someone you may know. Spear-phishing attackers find their victims by scanning social networking sites and gathering an individual's email address, friends list, geographic location, and any posts about new gadgets that were recently purchased. The attacker then uses this information to act as a friend or a familiar entity and send a convincing but fraudulent message to their target asking them to open a malicious attachment or click on a link that takes them to a spoofed website to provide passwords, account numbers, PINs, and/or access codes. Spearfishing is the most successful form of acquiring confidential information on the internet, accounting for 91% of attacks.
An advance-fee scam is a form of fraud and is one of the most common types of confidence tricks. The Federal Bureau of Investigation (FBI) defines an advance-fee scam as "when a victim pays money to someone in anticipation of receiving something of greater value - such as a loan, contract, investment, or gift - and then receives little or nothing in return."
The scam typically involves promises a victim a significant share of a large sum of money, in return for a small up-front payment, which the scammer claims will be used to obtain the large sum. When a victim makes the payment, the scammer either invents a series of further fees for the victim to pay or simply disappears.
Fresh Phish: Beware of These Phishing Scams
The most common scams impacting students involve financial aid theft. These spearfishing scams occur especially during financial aid disbursement timeframes, and specifically try to trick students into providing their federal student aid login credentials.
Providing personally identifiable information (PII) through a spearfishing attack can lead to further unwanted activity, account compromise, and financial aid theft. The University and legitimate businesses will never ask for this type of information in emails.
Current Phishing Scams
Additionally, here’s a list of current (and some ongoing) phishing attacks against campus accounts. We’ll keep this list updated, so check back whenever you wonder whether a new, widespread scam may be occurring.
Report Suspected Phishing
Received something phishy? Now comes the important part — reporting it so we can do some detective work to protect you and our entire campus community from further damage. First thing's first: do not click any links or open any attachments (they may contain viruses or malware), and report the message immediately in either of these ways:
Easiest/Quickest! Click the PhishMe Reporter button built into your Outlook menu. This automatically generates a report to the IRT Information Security Team.
— or —
Email the suspicious message as an attachment to firstname.lastname@example.org.
- Open a new email message
- Drag and drop the suspicious message into the body of the new message
- Add a subject line and click send
- Delete the message
One more thing
If the phish you've reported appears to be from a Sacramento State account, please also call the IRT Service Desk Team right away at 916-278-7337 during open hours to ensure we're in the loop, and can work quickly to prevent further account compromises.
Victim of Phishing? What to Do Next
Oops! If you've clicked something in a phishing message and/or provided any credentials, we recommend you:
Internet of Things (IoT)
The Internet of Things (IoT) sounds Sci-Fi, but you know them as Alexa, your iPhone/Android, or a Ring front door camera. IoT devices interconnect our work and home worlds, and have truly become extensions of ourselves. Not securing them is what hackers count on when they try to steal your identity. The National Cybersecurity Alliance shares these tips on how to lock down your IoT devices.
Other Ways to Protect your Account
Sacramento State also participates in 2-Step Verification with Duo, which provides extra account protection even if an attacker gains access to your password. As a security best practice, all Faculty, Staff, and Students are required to enroll and use Duo to protect their account and identity.
As an additional security best practice, be sure to download and use Global Protect Virtual Private Network (VPN), which protects your connection whether on- or off-campus - and is especially important if you’re using an unsecure public Wi-Fi connection.
Campus Phishing Awareness Campaigns
We partner with Cofense PhishMe to provide phishing training to help our campus community recognize, report, and delete email phishing messages. We periodically send test Cofense PhishMe training emails to your Sac State account that mimic phishing emails typically targeting our Hornet Family. You can see how we're doing as a campus in past training exercises.
PhishMe Campaign Results
- "Part-Time Job" and "Fake Invoice" - September 2022
- "Office 365 Email Delivery Error" Test - April 2022
- "Shipping Error" Phishing Test - February 2022
- "Financial Aid Missing Documents" Phishing Test - March 2021
- "Unauthorized Account Activity" Phishing Test - October 2020
- "Password Expiration" Phishing Test - September 2020
- "Message from Chancellor" Phishing Test - May 2020
- "Missing Financial Aid Docs" Phishing Test - February 2020
- "Fake Sac State Login" Phishing Test - October 2019
- "Fake Job Opportunity" Phishing Test - July 2019
- "Financial Aid Payment Late Fee" Phishing Test - Feb 2019
- "Recover Email Account" Phishing Test - October 2018