Dozens of students were shocked to learn that they were suspended from SF State last week when an email appearing to be from California State University’s chancellor gave them the bad news. But when they clicked on a link in the email, the truth was revealed — they had just been scammed.
The phishing email was sent around Dec. 4. Aliea Glenn, a biology major, was among those targeted.
“My first reaction was like, ‘Why would I have been suspended?’ Maybe this is fake, [or] maybe they thought I was cheating somehow,” Glenn said. “All these things ran through my head before I called [the administration].”
While Glenn did click the link, she didn’t lose access to her account since the phishing scam didn’t work in the Safari browser.
Another fake email claimed that students need to “re-validate” their email storage, and that their account was unable to receive new emails until they clicked the link.
SF State Information Technology Services did not comment on this specific email, but a post on the SFSU subreddit by user Tiny-Mugget with a screenshot of this email dates as far back as Nov. 22.
Information Technology Services claims 25 students clicked the link and had their account access revoked as a result.
The hack revealed log-in credentials to the hackers, but SF State itself wasn’t hacked, according to a statement from ITS Associate Vice President Nish Malik.
“No SF State services or sensitive data were compromised because of the recent phishing incidents,” Malik said in the statement.
The compromised accounts were used by the fraudulent party to send out more phishing emails.
Another phishing email reportedly went out to faculty and staff, claiming that they had too many vacation hours accrued, with a fake link attached to fix the problem.
Malik told Xpress that these emails were not sent by hackers, but were actually part of an SF State activity that’s meant to educate users about phishing.
“This particular message was not a phishing attack, but a training simulation by ITS,” Malik said. “The messages were sent out to all faculty and staff from the PhishMe tool … to help with phishing awareness.”
Malik described the job of securing emails as monumental, blocking more than 10,000 phishing emails daily.
ITS is working to increase security protections, Malik said.
“However, even with all these advanced technologies, there is no sure way to stop them all without the risk of blocking legitimate email,” he said.
Malik said ITS uses a tool called PhishMe, which sends simulated phishing messages to faculty in an attempt to test and educate users about email security.
“As such, email security becomes everyone’s responsibility, and educating oneself to be able to tell a legitimate email from a phishing attempt is imperative,” Malik said. “This is where it sees the biggest opportunity to make a difference.”
SF State email account holders who have had their account compromised can call (415) 338-1111, dial “4”, then follow the directions provided. Others affected by phishing emails to their SF State accounts can forward the message to firstname.lastname@example.org and report the incident to email@example.com, according to the ITS phishing guide.
*Correction: In the print version of this article, the reporter inaccurately stated that student accounts were “hacked” when they were scammed by a phishing email. The print version’s headline also stated accounts were “hacked”.
The tool PhishMe was inaccurately described as a tool available to everyone. This tool is used by ITS to test and educate employees about the dangers of phishing scams.
The Xpress regrets these errors.