Spam and Phishing: How to Protect Yourself

Spam is the electronic equivalent of junk mail. The term refers to unsolicited, bulk – and often unwanted – email. 

Phishing is designed to trick you into sharing personal information like usernames, passwords, basically anything that can be used to gain access to your identity and accounts. A cybercriminal creates an email or text message that appears to be from a trusted source (like a Cal Poly college or department, your bank, your employer, etc.). Most often, these messages urge you to act quickly and click on a link or open an attachment. They might falsely claim that your email inbox requires verification or will be shut down, or that you need to take some action to apply for a job or receive financial aid. If you follow through on the request, the cybercriminal can then use the information to con you out of money, compromise your email account, and use it to phish others.

Spear phishing involves highly specialized attacks against specific targets or small groups of targets to collect information or gain access to systems. For example, a cybercriminal may launch a spear phishing attack against a business to gain credentials to access a list of customers. From that attack, they may launch a phishing attack against the customers of the business. Since they have gained access to the network, the email they send may look even more authentic, and because the recipient is already customer of the business, the email may more easily make it through filters, and the recipient may be more likely to open the email.

Often, phishing emails look legitimate, but the URL or email address looks slightly off. They tend to be poorly written and have numerous grammatical errors. Phishing emails and text messages are designed to give you a sense of urgency. They tell a story to trick you into clicking on a link or opening an attachment. They may:

• Claim that there is an issue with your email account that requires action

• Say that you qualify for an employment opportunity

• Claim that the sender is your employer and they need your help

• Say they’ve noticed some suspicious activity or log-in attempts

• Say you must confirm some personal information

• Include an invoice for something you didn't order

• Ask you to click on a link to log-in to your account or make a payment

It’s important to remember that while emails from actual Cal Poly offices may contain links, Cal Poly will never ask you to click a link to make a transaction such as verifying your email inbox, paying tuition, or confirming personal information. Official university transactions are mostly handled through the secure My Cal Poly Portal.

• Don’t reveal personal or financial information
  Do not respond to email solicitations with any personal information. Don’t click links sent in email that ask you to provide personal information.

• Pay attention to website URLs
  Malicious websites may look identical to a legitimate site, but the URL uses a variation in spelling or a different domain (e.g., .com versus .net).

• Limit your exposure
  You might decide to use two email addresses — one for personal messages and one for shopping, newsletters, and other services. Also, try not to display your email address in public. That includes in blog posts, on social networking sites, or in online membership directories. Spammers use the web to harvest email addresses.

• Create unique, secure, and strong passwords or passphrases
  Review Cal Poly's password requirements. Having separate passwords or passphrases for every account helps to thwart cybercriminals. Separate your work and personal accounts. Use a password manager like LastPass.

• Keep a clean machine
  Keep all software on internet-connected devices – including computers, smartphones and tablets – up to date to reduce risk of infection from malware. Sophos Central Endpoint Protection antivirus software is installed on all university-owned computers and you can install Sophos Home for free on your personal devices.

• Check privacy policies and uncheck boxes

  • Check the privacy policy before you submit your email address to a website. See if it allows the company to sell your email to others. You might decide not to submit your email address to websites that won't protect it.

  • When submitting your email address to a website, look for pre-checked boxes that sign you up for email updates from the company and its partners. Some websites allow you to opt-out of receiving these mass emails.

Spam, phishing and other scams aren’t limited to just email, they’re also prevalent on social networking sites. The same rules apply on social networks.

• Reporting spam and phishing on Facebook

• Reporting spam on Twitter

• Reporting spam and phishing on YouTube

Ask yourself if you know the person who contacted you, or if you have an account or affiliation with the department/company.

• If the answer is “yes,” verify it.
  If you recognize the sender, but you’re unsure whether it’s legitimate, you can verify it by contacting them directly. Use the information provided on an official website, or the back of your credit/debit card or account statement (if it appears to be from a financial institution). Don’t use the contact information provided in the suspicious email.

• If the answer is “no,” report it.
  If you don’t recognize the sender and the message seems suspicious, it could be a phishing scam. Most email clients offer ways to mark/report an email as spam or phishing. Reporting spam will help to prevent similar messages from being directly delivered to your inbox. Visit Report Phishing and Spam to learn how to do this on campus via Outlook.

If you have clicked through an email that you thought was from a legitimate Cal Poly sender and provided your username and password, then realized that it was not a legitimate website (perhaps the URL looks wrong), you need to change your password right away. You can do this by logging-in to the My Cal Poly Portal and going to the Personal Info tab. Then, go back to your inbox and report the email as phishing. If you use your Cal Poly email and password on any other online accounts (which is very risky), you'll want to change your passwords there too.

If you responded to a phishing email with any sensitive personal information, like account numbers or your social security number, be sure to report it to the Federal Trade Commission. You'll also want to notify your bank if you provided any financial information and keep a close eye on your accounts for any suspicious activity.

The university relies on Office 365 filters and other security tactics to preemptively block millions of spam and phishing emails every quarter. However, there is no perfect solution for filtering out all spam and phishing. One person’s spam could be another individual’s useful message, and with phishing, scammers are always trying new, sophisticated, and targeted ways to trick people. It can be very difficult to pinpoint these emails, especially if they come from a compromised Cal Poly account. When members of the Cal Poly community report spam and phishing emails, it helps Office 365 improve their filters.