What is Phishing?
Phishing is a tool used by cyber criminals to steal personal information from another person. The fraudster will create an email that appears to be from a trusted source (e.g, your email provider, employer, bank, online account, etc.). The email is designed to trick you into entering confidential information (e.g., passwords, account numbers, SSN, birthrdate, etc.) into a fake website usually by providing an embedded link to follow and confirm your account details. You may also be asked to reply to the email with this information. The criminal will then use the information provided to access your account to buy stuff, transfer money, send SPAM, or other damanaging activity.
Recently, Cal Poly users have become the target of phishing emails designed to trick you into revealing your Cal Poly username and password. This puts you and the university at risk. Armed with this information, a phisher will typically use your campus email account to send more phishing or SPAM emails, but they can also access any personal information found on the portal.
Cal Poly will never ask for your password via email, phone or a non-calpoly.edu web form. All password changes are handled through the Cal Poly Portal. If your account has been compromised, ITS will change your password immediately and then contact you regarding next steps. If you are not contacted but you know or think you responded to a phishing email, use the Cal Poly Portal to change your password and questions and then notify email@example.com.
View samples of actual phishing email messages sent to Cal Poly users. Check SPAM Alerts and Internet Scams and Hoaxes for other recent postings.
What is the threat from phishing emails?
- Identity theft
- Credit card fraud
- Stolen bank information - loss of $$
- Damage to individual's good credit
- Access to protected Cal Poly information could cause a security breach
- Damage to Cal Poly's reputation
- Cal Poly email accounts used to send phishing and SPAM emails
Why can't the email filter block phishing email?
Cal Poly’s email gateway identifies and blocks many of these phishing messages. Emails that look suspicious will be tagged as “cpSPAM” or "[WARNING: VIRUS REMOVED]" in the subject line and any infected attachments will be removed. However, the gateway is not foolproof and messages can get through. Once a phishing email is reported, action is taken to prevent further distribution. Additional measures are being explored to improve phishing detection and prevention.
What to do if you receive a phishing email message?
- If you receive a phishing email , do NOT reply, do NOT click on a link, do NOT open an attachment, and do NOT provide personal or confidential information.
- Retain the message for further investigation as needed.
- If you have an account with the financial institution or other major company being portrayed, contact them by phone or visit the company's actual website to check the validity of the request. Most company websites include information on phishing and how to report phishing emails.
- Phishing emails related to Cal Poly typically involve email and IT account use. If you receive a phishing email that appears to come from Cal Poly or ITS, forward the message with full headers to firstname.lastname@example.org for analysis.
- To file a complaint unrelated to Cal Poly, you can forward the message with full headers to the originating Internet Service Provider (ISP). However, complaining to some ISPs can be problematic, so your best course of action may be to delete the message! Visit this page for information on how to file a complaint with an off-campus ISP. Visit the Internet Crime Complaint Center to file any complaint about Internet crime.
What can you do to protect yourself?
- Follow good security practices - Take appropriate precautions when using email and web browsers to reduce your risks
When you receive an email requesting personal information, ask yourself:
- Who is asking?
- Why would they ask for this?
- Why would they need it?
- Don't reply to emails asking for confidential information or to confirm password and account information. Cal Poly, or any reputable company will never solicit this information from you. If in doubt, call or logon to the company's website to confirm the legitimacy of the request.
- Don't click on embedded links in emails, especially ones asking for confidential information or to confirm password and account information.
- Use caution when opening email attachments.
- Don't email personal information.
- When providing personal information to a website, make sure the site is secure (using https and lock displayed in the browser).
- Monitor your bank accounts more than one time per month.
- Use strong passwords.
- Never share your Cal Poly password or use it for any other online account.
- Follow your "gut feeling" and don't respond to suspicious email messages.
Learn more about it!
- Read "How Not to Get Hooked by a 'Phishing' Scam" and other facts about phishing.
- Take the SonicWALL Phishing IQ Test and play the Anti-Phishing Phil online game to learn more about phishing scams in general, and how to tell the difference between a phony and legitimate message in particular.
- Read "Security Tip: Avoiding Social Engineering and Phishing Attacks" (US-CERT)
- Read "Security Tip: Using Caution with Email Attachments" (US-CERT)
- Read "Recognizing and Avoiding Email Scams" (pdf) (US-CERT)