Phishing: Recognize and Report
Phishing and related scams are when cyber attackers attempt to trick or fool you into doing something you should not do. Often these scams are sent as emails, but they can also try to trick you with text messaging, phone calls or on social media. Anytime someone is creating a tremendous sense of urgency and rushing you to take an action, or someone is promoting an offer that is too good to be true, this is most likely a phishing attack.
Phishing emails often attempt to use emotional triggers to get you to react quickly without thinking through whether you should respond, such as dire language about time limits, loss of service, penalties, or language targeting a desire for money. They often have grammar, spelling, and syntax errors, and phrasing that a native speaker would not use.
An example would be an email with a generic greeting warning of a change in an account requiring you to verify your account information. These emails typically include directions to reply with private information or provide a link to a web site to verify your account by providing personal information such as your name, address, bank account numbers, Social Security numbers, or other sensitive personal information.
Indicators of a phishing email:
Phishing messages usually have one or more of the following:
- Name and email address don’t match, or the sender uses a real organization or company name but incorrect email address.
- Heightened urgency. Phishing attempts often try to get you to respond before you have a chance to think.
- Attempt to prove legitimacy using words such as ‘Official’, or using generic signatures. A signature line with "Service Desk" or "Administration" rather than a SBCC official whose name you can verify.
- Spelling or grammatical errors. These should be immediate red flags.
- Requests for personal information, especially requests for personal information from contacts you did not initiate.
- Never send passwords, bank account numbers, or other private information in an email.
- Avoid clicking links in emails, especially any that are requesting private information.
- Be wary of any unexpected email attachments or links, even from people you know.
- Look for ‘https://’ and a lock icon in the address bar before entering any private information.
- Have an updated anti-virus program that can scan email.
- Be wary of any link to a website where you are asked to enter your username and password to "verify your account" (see "How to spot a fake SBCC login page" below.)
- If you’re not sure if an email is legitimate or phishing, please forward it to email@example.com so that we can investigate for you.
The genuine SBCC login page has a URL that begins with https://auth.sbcc.edu (or the lock symbol followed by auth.sbcc.edu). If you have doubts about the URL, check with the SBCC IT Service Desk at 805-965-0581 x2215 or report the suspicious link to firstname.lastname@example.org before you enter your username and password.
If you think an email is suspicious, report it.
Forward the email to email@example.com for review. This is extremely helpful as we have tools to block the sender and remove the scam from other campus inboxes. If you are in doubt about using email to report it, call us at 805-965-0581 x2215.
If you think a phone call is suspicious, don't answer it. If you think a text message is suspicious, don't respond to it.
- If possible, don’t answer any calls from numbers you don’t recognize. Callers with anything important to say will likely leave a message anyway.
- Be cautious of calls or text messages from numbers you do not recognize, especially if they ask for personal information or otherwise seem suspicious.
- Never click on a link or attachment in a spam text message because it could trigger malware. If possible, avoid opening them altogether.
- Never respond to a spam text message, as it will confirm that your number is valid.
- When in doubt, or if you are being spammed or harrassed, BLOCK THE NUMBER.
- The FTC has published some information about how to block unwanted calls and texts. Visit their website here for instructions.
If you already clicked on a phishing link or have entered your information and/or password on a suspicious site:
- Email firstname.lastname@example.org to let us know, or call us at 805-965-0581 x2215.
- Change your SBCC (Santa Barbara City College) login password immediately at http://pipeline.sbcc.edu
- Enable Two-Factor Authentication on your account. Instructions are here: http://www.sbcc.edu/2FA
- Change login and password for any personal accounts that share the same password such
- Online banking
- Personal email
- Online purchasing (PayPal, Amazon, eBay, etc.)
- iTunes/Apple ID account
- Social media (Facebook, Twitter, Instagram, blogs, etc.)
- Online backup service or file sharing (Dropbox, Mozy, Carbonite, etc.)
- Enable two-factor authentication on any personal accounts that have it available. Most email, banking, payment, and social media accounts offer two-factor authentication.
- Do not use the same password for your SBCC account that you use anywhere else. Can't remember them all? Consider using a password manager to manage all of your personal passwords (we recommend LastPass - it's free).
- Contact the abuse or fraud department of the service being impersonated (eBay, PayPal, etc.)
- If you suspect a bank or credit card account may have been compromised, contact that
institution to check your account immediately and request a credit report.