Phishing: Recognize and Report
Phishing and related scams are when cyber attackers attempt to trick or fool you into doing something you should not do. Often these scams are sent as emails, but they can also try to trick you with text messaging, phone calls or on social media. Anytime someone is creating a tremendous sense of urgency and rushing you to take an action, or someone is promoting an offer that is too good to be true, this is most likely a phishing attack.
Phishing emails often attempt to use emotional triggers to get you to react quickly without thinking through whether you should respond, such as dire language about time limits, loss of service, penalties, or language targeting a desire for money. They often have grammar, spelling, and syntax errors, and phrasing that a native speaker would not use.
An example would be an email with a generic greeting warning of a change in an account requiring you to verify your account information. These emails typically include directions to reply with private information or provide a link to a web site to verify your account by providing personal information such as your name, address, bank account numbers, Social Security numbers, or other sensitive personal information.
Indicators of a phishing email:
Phishing messages usually have one or more of the following:
- Name and email address don’t match, or the sender uses a real organization or company name but incorrect email address.
- Heightened urgency. Phishing attempts often try to get you to respond before you have a chance to think.
- Attempt to prove legitimacy using words such as ‘Official’, or using generic signatures. A signature line with "Service Desk" or "Administration" rather than a SBCC official whose name you can verify.
- Spelling or grammatical errors. These should be immediate red flags.
- Requests for personal information, especially requests for personal information from contacts you did not initiate.
- Never send passwords, bank account numbers, or other private information in an email.
- Avoid clicking links in emails, especially any that are requesting private information.
- Be wary of any unexpected email attachments or links, even from people you know.
- Look for ‘https://’ and a lock icon in the address bar before entering any private information.
- Have an updated anti-virus program that can scan email.
- Be wary of any link to a website where you are asked to enter your username and password to "verify your account" (see "How to spot a fake SBCC login page" below.)
- If you’re not sure if an email is legitimate or phishing, please forward it to phishing@sbcc.edu so that we can investigate for you.
The genuine SBCC login page has a URL that begins with https://auth.sbcc.edu (or the lock symbol followed by auth.sbcc.edu). If you have doubts about the URL, check with the SBCC IT Service Desk at 805-965-0581 x4215 or report the suspicious link to phishing@sbcc.edu before you enter your username and password.
If you think an email is suspicious, report it.
Forward the email to phishing@sbcc.edu for review. This is extremely helpful as we have tools to block the sender and remove the scam from other campus inboxes. If you are in doubt about using email to report it, call us at 805-965-0581 x4215.
If you think a phone call is suspicious, don't answer it. If you think a text message is suspicious, don't respond to it.
- If possible, don’t answer any calls from numbers you don’t recognize. Callers with anything important to say will likely leave a message anyway.
- Be cautious of calls or text messages from numbers you do not recognize, especially if they ask for personal information or otherwise seem suspicious.
- Never click on a link or attachment in a spam text message because it could trigger malware. If possible, avoid opening them altogether.
- Never respond to a spam text message, as it will confirm that your number is valid.
- When in doubt, or if you are being spammed or harrassed, BLOCK THE NUMBER.
- The FTC has published some information about how to block unwanted calls and texts. Visit their website here for instructions.
If you already clicked on a phishing link or have entered your information and/or password on a suspicious site:
- Email phishing@sbcc.edu to let us know, or call us at 805-965-0581 x4215.
- Change your SBCC (Santa Barbara City College) login and password immediately at the campus portal
- Enable Two-Factor Authentication on your account. Instructions are here: http://www.sbcc.edu/2FA
- Change login and password for any personal accounts that share the same password such
as:
- Online banking
- Personal email
- Online purchasing (PayPal, Amazon, eBay, etc.)
- iTunes/Apple ID account
- Social media (Facebook, Twitter, Instagram, blogs, etc.)
- Online backup service or file sharing (Dropbox, Mozy, Carbonite, etc.)
- Enable two-factor authentication on any personal accounts that have it available. Most email, banking, payment, and social media accounts offer two-factor authentication.
- Do not use the same password for your SBCC account that you use anywhere else. Can't remember them all? Consider using a password manager to manage all of your personal passwords (LastPass is a free password manager).
- Contact the abuse or fraud department of the service being impersonated (eBay, PayPal, etc.)
- Consider signing up for an Identity Theft Protection and Credit Monitoring service online.
- If you suspect a bank or credit card account may have been compromised, contact that institution to check your account immediately and request a credit report.
For SBCC employees:
IT Security Awareness Training for SBCC employees is available through the California Community Colleges Vision Resource Center. This online training consists of 34 short modules totaling 2 hours and 41 minutes of instruction. SBCC employees who are required to take this training will receive an email from infosec@sbcc.edu with the subject “SBCC IT Security Awareness Training". Instructions for self-enrolling are below.
To access the SBCC IT Security Awareness Training:
- Sign into the campus portal.
- Select the “Employee” menu, then “Resources.”
- Select “Vision Resource Center Professional Development Portal” in the middle of the page.
- At the Vision Resource Center site, click the “FIND” button in the middle of the page.
- Type “SBCC IT Security Awareness Training” in the search box, and then select “SBCC IT Security Awareness Training” when it appears in the search results.
- Click “OPEN CURRICULUM” on the right side of the page to begin the training.
This training must be completed within 30 days of enrollment.
Other training resources:
- NIST has published a list of free and low cost online cybersecurity learning content here: https://www.nist.gov/itl/applied-cybersecurity/nice/resources/online-learning-content
Need Help?
- Students: Contact tech support at https://sbcc.edu/it/studenttechsupport.php
- Employees: Contact tech support at https://sbcc.edu/it/employeetechsupport.php