How to Identify Phishing Emails

Quick Links: | What is Phishing? | Identify Phishing | I was Phished! |

What is Phishing?

Phishing is a cybercrime in which a target or targets are contacted by email, telephone, or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking or credit card details, and passwords. The information is then used to access important accounts and can result in identity theft and financial loss. 

 If you believe your account may be compromised due to a phishing email, please change your password immediately and call IT Support Services at 530-898-4357.

Types of Phishing

There are many types of phishing, but here are some that you may encounter: 

• Spam is unsolicited and unwanted emails, typically sent to try to sell you something. While it is often annoying and misleading, it is rarely malicious.  Simply delete it!
• Phishing messages are bulk emails, typically appearing to be from a reputable source, that ask you to take a specific action that can cause damage to you or your organization. These messages are malicious. Report it with the PAB!
• Spear phishing emails are targeted attacks on a person or organization, occurring after detailed research to make them seem especially real. These messages are extremely malicious and can lead to very damaging consequences. Report it with the PAB!
• Whaling (A.K.A. CEO Fraud) are phishing attacks that target high-ranking executives at major organizations or other highly visible public figures, then use the accounts to attempt to fool an employee into transferring funds or disclosing confidential information. Report it with the PAB!

How can I identify Phishing?

Below are common tactics that you may notice in spam, phishing, or scam emails. Please be aware of these, and report any suspicious emails using the KnowB4 "Phish Alert" button in your email interface. 

1. Suspicious Email Address: Check the sender's email address. Phishing emails often come from a slightly altered or misspelled version of a legitimate email address. This may also include people contacting you from their personal email address, rather than their work or department email.

   • An example might be jsmith.csuchico@gmail.com

   • Technical or account-related emails that come from a specific person instead of IT Support Services or the Office of the Registrar may be fraudulent. 

2. Generic Greetings or Signatures: Phishing emails often will be targeted toward students specifically, so titles like "Dear Students" instead of using your specific name may be a questionable email. This could also be a generic sign-off such as "Thank you, IT Admin"

3. Emails from Unfamiliar Senders: Some emails may pose as a department chair or director from a department you are not associated with.

4. Urgency or Threats: Scammers often create a sense of urgency or threat to prompt immediate action.

   • An example we've seen before is threats to suspend or delete your Chico State account or failure to receive financial aid.

5. Poor Spelling and Grammar: Many phishing emails contain spelling and grammatical errors.

6. Mismatched URLs: Hover over any links in the email without clicking on them to see the actual URL. If the link address looks suspicious or doesn't match the purported source of the email, it's likely a phishing attempt.

7. Unsolicited Attachments: Be cautious of unexpected attachments, especially from unknown senders. Never download files from suspicious emails. These can contain malware.

8. Request for Personal Information: Chico State will not request sensitive personal information via email.

   • This will include contact information, addresses, phone numbers, usernames, ID numbers, Social Security Numbers, banking or credit card numbers, or other personal information. You should never provide this information via email, online form, text message, etc. 

9. Too Good to Be True: Be skeptical of emails offering prizes, lottery winnings, or overly generous offers.

   • Often this will relate to job offers, financial aid, or other offers that seem to be extremely giving. 

10. Mismatched Email Signature: Sometimes, the name in the email signature doesn't match the sender's name or email address.

11. Unexpected Requests for Money: Be wary of emails asking for money transfers or payments, especially if they are unexpected or unsolicited.

    • This may come as a request for gift cards with a promise of reimbursement or payback. You should never deposit checks from unknown individuals.

What do I do if I was Phished? 

 If you believe your account may be compromised due to a phishing email, please change your password immediately and call IT Support Services at 530-898-4357.

Here are some other tips if you believe your information may have been collected fraudulently: 

1. Change Passwords: Change the passwords for all accounts that may be compromised.
   • It is recommended to have different passwords for different accounts because if one is compromised, the others may as well. 
   • For security purposes, Chico State requires annual password changes to avoid security risks such as these.
2. Contact Financial Institutions: If you provided any financial information, deposited checks, or accepted money, contact your bank(s) as soon as possible.
3. Scan your device(s) for Malware: Run a full system scan on your devices using an anti-virus or anti-malware software.
   • These scans should detect anything malicious on your device. Some businesses may offer malware removal services that could assist with any potentially compromised systems.
4. Monitor Online Accounts: Keep an eye on other online accounts, including banking, social media, and email accounts for any unauthorized activity or suspicious login attempts. 
5. Turn on Multifactor Authentication: While Chico State requires the use of Duo for multifactor authentication on your account, this is not required on many other platforms. See if your accounts will allow you to turn on a feature like this. Typically, you can find it under the security settings. 

 Still need help? Contact IT Support Services for further assistance with the Phish Alert Button. If you have a security concern, please contact Information Security.
  
 Please do not leave the comment section blank! Provide constructive feedback to make this page better.