Information Security at CSU has observed an increase in phishing attempts by attackers.

The most recent instance involves an email campaign from valid CSU accounts with the subject line “Validation Notice Do Not Ignore, Last warning.” The message indicates “your office 365 has two different logins with two universities.” This is not a legitimate email, and users should refrain from interacting with the message in any way. To report a suspicious email, follow these simple steps:

1. Right-click on the email to open up the options menu
2. Navigate to the ‘Report’ option
3. Select the ‘Report Phishing’ option
4. Report the incident to the CSU Cybersecurity Team.

“Phishing is not a new problem, but it continues to plague organizations because it preys upon busy people,” says Steve Lovaas, chief information security officer. “Even a poorly constructed phishing attack can present a ‘lure’ that may be just close enough to seem legitimate, even if it’s simply a cut-and-pasted Ram graphic or the name of an actual CSU department. To resist even the most carefully crafted attacks, a little vigilance can go a long way.”

Safety tips

Safeguarding CSU data and personal information online requires a grassroots effort, emphasizing vigilance and education. Here are quick tips to protect your information.

When emailing and texting:

• Don’t rush to respond: Avoid hastily responding to official-sounding emails that urge immediate action. Phishing attacks often create a false sense of urgency, pressuring recipients to click links or share confidential information.

• Verify links and attachments: Refrain from clicking, opening or downloading links or attachments in emails or texts unless you trust the sender. Confirm the legitimacy of the sender before taking any action.

• Government or official sources: If an email appears to be from a government agency or financial institution, avoid clicking provided links. Instead, conduct an internet search to find the official website and use the contact information listed there.

• Avoid sharing sensitive information: Never include confidential details, such as Social Security numbers or passwords, in emails or texts, even if prompted. Requests for such information are clear indicators of phishing attempts.

• Duo push notifications: Pay attention to Duo push notifications and avoid automatically approving authentication requests if not in the process of logging in.

Recognize phishing attempts

• Impersonation of trusted organizations: Phishing scams often involve attackers posing as representatives of trusted organizations and soliciting information.

• Financial risks: Phishing can lead to significant financial damage if personal information is surrendered to attackers. Remember that CSU will NEVER request passwords, Social Security numbers, or other sensitive information via email.

• Appearance and content: Some phishing attempts may contain errors, but sophisticated ones may appear trustworthy. Be cautious of emails asking to open files, click links, or enter information into forms.

• Beware of NetID requests: Exercise caution with emails requesting NetID information.

• Job scams: Students seeking employment should be aware of potential job scams.

• Verification: If an email seems suspicious, contact the sender directly rather than clicking on links. Clicking on a phishing email, even to check its legitimacy, can lead to system infections.

When in doubt, report it.

Uncertain if an email is malicious? Contact the Cybersecurity Team and report an incident via email. View a sample phishing email and stay informed about current cybersecurity alerts by visiting the cybersecurity web page.