TO: Campus community
FR: Andru Luvisi, Information Security Officer
Welcome to the new semester!
I’m writing to remind you of a few important steps to protect you and the university from cybercriminals and data breaches.
Please remember that Level I data such as passwords, PINs, and account numbers (see Level I data as defined by the CSU Data Classification Standard) must never be sent through email unencrypted. When sending encrypted data through email, the key needed to decrypt it (otherwise known as the decryption key or passphrase) should never be sent over email. Instead, the key should be sent using a different communication medium, such as a telephone, text message, etc.
Also, please remember to double-check the recipients of your email when sending Level II data or other sensitive information through email.
Phishing emails are continually sent to members of our campus community. Phishers are criminals who attempt to impersonate an organization with whom you have an electronic account, such as your bank or Sonoma State University. They attempt to deceive you into giving them your username and password, social security number, birth date or other sensitive information.
Sometimes phishing emails contain or link to malicious software (malware) that allows others to control or access your computer, including your files, camera, microphone, and anything displayed on your monitor or played through your speakers. Some malware can use your computer, without your knowledge, to perpetrate further criminal activity.
You should suspect phishing when:
- You receive an unexpected email, or the email claims to be part of a transaction that you did not initiate;
- The email contains obvious deviations from standard practice, such as when the "To" or "From" addresses are incorrect or missing, or when the message contains poor spelling and grammar, generic greetings, or incorrect information;
- The email contains threats, requests for money or sensitive information, or includes offers that seem too good to be true;
- Upon hovering over a link, the target URL either doesn’t match the displayed text or is formatted deceptively (http://wwwsonoma.edu.example.com and http://firstname.lastname@example.org are links to example.com and not to sonoma.edu); or
- Something just doesn’t look right to you.
The computer security software company Cofense offers a handout with additional tips on how to spot phishing attempts.
What to do when you suspect that an email may be phishing:
- Don't respond.
- Don't open any attachments or click any links in the email.
- Never provide account credentials and passwords through email.
- Verify the contents of the message with the corresponding institution by typing in the URL yourself, or verify offline by calling them with a phone number known to you, not with any information from the email itself.
- If you are unsure whether an email is legitimate, contact the IT Help Desk at (707) 664-HELP or IT.Helpdesk@sonoma.edu. The IT Department will never ask you for your username and password in an email.