TO: Campus community
FR: Andru Luvisi, Information Security Officer
Although we regularly discuss the dangers of phishing emails, be aware that criminals can attempt to lure you into sharing sensitive information in other ways as well. Below are reminders about important steps for protecting yourself, others, and the University from cybercriminals and data breaches.
Remember that Level I data such as passwords, PINs, account numbers, etc., must never be sent through email unencrypted. When sending encrypted data through email, the key needed to decrypt it (otherwise known as the decryption key or passphrase) should never be sent over email. Instead, the key should be sent using a separate communication medium, such as telephone or text message.
Also please remember to double-check the recipients of your email when sending Level II data or other sensitive information through email.
Phishing emails are continually sent to members of our campus community. Phishers are criminals who attempt to impersonate an organization with whom you have an electronic account, such as your bank or Sonoma State University. They often attempt to deceive you into giving them your username and password, Social Security number, birth date, or other sensitive information.
Sometimes phishing emails contain or link to malicious software (malware) that allows others to control or access your computer, including your files, camera, microphone, and anything displayed on your monitor or played through your speakers. Some malware can use your computer without your knowledge to perpetrate further criminal activity.
You should suspect phishing:
- When you receive an unexpected email or the email claims to be part of a transaction that you did not initiate;
- When the email contains obvious deviations from standard practice, such as when the "To" or "From" addresses are incorrect or missing, or when the message contains poor spelling and grammar, generic greetings or incorrect information;
- When the email contains threats, requests for money or sensitive information, or includes offers that seem too good to be true;
- When, upon hovering over a link, the target URL either doesn’t match the displayed text or is formatted deceptively; (For example, http://www.sonoma.edu.example.com/ and http://www.sonoma.edu@example.com/ are links to example.com and not to sonoma.edu) or
- Any other time when something just doesn’t look right to you.
The computer security software company Cofense offers a handout with additional tips on how to spot phishing attempts.
What to do when you suspect that an email may be phishing:
Don'ts:
- Don't respond
- Don't open any attachments or click any links in the email
- Never provide account credentials and passwords through email
Do's:
- Verify the contents of the message with the corresponding institution by typing in the URL yourself, or verify offline by calling them with a phone number known to you, not with any information from the email itself.
- If you are unsure whether an email is legitimate, contact the IT Help Desk at 707-664-HELP or IT.Helpdesk@sonoma.edu. SSU IT will never ask you for your username and password in an email.