Phishing, Security

Cybersecurity Month, Week 4: When Criminals go Phishing, Don’t Take the Bait

Week 4 is all about identifying Phishing. Phishing is when criminals use fake emails to lure you into handing over your personal information or installing malware on your device. It’s easy to avoid a phishing email, but only once you know what to look for.

You can find more information about Week 4 of Cybersecurity Month at


Phishing Scam Alert

ITSS has received reports that campus employees have been targeted with phishing attacks. These attacks have used email and SMS text messages, posing as campus employees requesting assistance.

Example of the text sent to employees:

Are you available . I am at a meeting and limited to calls, but I am good to go with texts if that works. Need you to handle a task.

Typically these type of attacks will request help with obtaining gift cards. An example of a previous version of this scam is detailed at

If you receive a suspicious message delete it without responding, or directly verify with the sender that the message is legitimate. More information about phishing scams is available at

Phishing, Security

Ransomware Alert

The LA Unified School District experienced a debilitating ransomware attack over the weekend, and several advisories have been released this week that have reported similar events targeting the education sector. Our Information Security Team and various other Division of IT Teams are actively monitoring the situation and staying up to date with the recommended compensating controls by the cybersecurity community. As details evolve, we wanted to share some helpful tips:

  • Be cautious of unexpected emails and emails from unknown senders. If an email seems suspicious verify its legitimacy with the sender or with ITSS before providing information or clicking on any links. Phishing is the primary method for ransomware attacks. More information about phishing is available at
  • Store files in a secure location. Box is the approved cloud-based content storage and collaboration service for university staff and faculty. More information about Box can be found at
  • Make sure your computer has system updates installed. Campus-managed computers have system updates installed automatically.
  • If not already used, consider enabling multi-factor authentication for personal accounts used for finance, email, and social media services. Popular options include text message verification, Face ID, or Google Authenticator.  

NPR’s reporting on the incident can be found at


IRS Warns Universities of Scam

The Internal Revenue Service warned of an ongoing IRS-impersonation scam that appears to primarily target educational institutions, including students and staff who have “.edu” email addresses.

The IRS has received complaints about the impersonation scam in recent weeks from people with email addresses ending in “.edu.” The phishing emails appear to target university and college students from both public and private institutions.

The suspect emails display the IRS logo and use various subject lines such as “Tax Refund Payment” or “Recalculation of your tax refund payment.” It asks people to click a link and submit a form to claim their refund.

The phishing website requests taxpayers provide their:

  • Social Security number
  • First Name
  • Last Name
  • Date of Birth
  • Prior Year Annual Gross Income (AGI)
  • Driver’s License Number
  • Current Address
  • City
  • State/U.S. Territory
  • ZIP Code/Postal Code
  • Electronic Filing PIN

If you received a phishing email you should delete it without clicking on links or replying.

Phishing, Security

Job Scam Emails

CSU, Chico students are often targeted with scams promising jobs. Students have been scammed out of money or had campus accounts compromised by job-related phishing scams. If an email or job offer sounds too good to be true it probably is. Most legitimate jobs do not require you to pay money or send personal information via email.

Do Not Respond to any job advertisement or offer that requires you to:

  • Give your credit card or bank account numbers or copies of personal documents.
  • Send payment by wire service or courier.
  • Deposit checks or transfer money into your bank account.
  • Receive or process a large check.

Don’t hesitate to check with ITSS if you are unsure about the authenticity of an email you’ve received. The Career Center can also help you determine if a job posting is a scam.

More information about information security and employment scams:

Example of a recent job scam email:

job scam email example
Phishing, Security

Campus Spearfishing Attack

Over the past two weeks Chico State has been specifically targeted by people who have analyzed our org chart and are crafting email attacks based on that data by creating bogus @gmail accounts and then emailing spearphishing attacks “from” a manager to their staff.

spearphishing example

If you reply to these emails they will ask you to purchase gift cards.

I will be having a busy day and I want to surprise some of the staffs with gift card. The type of card I need is steam wallet gift cards $100 denomination, I need $100 X 7 cards so that will be $700 i will be reimbursing back to you. You will purchase the cards from a nearby store to you, when you get the cards, Scratch out the back to reveal the card codes, take pictures of each cards and send it to me here. How soon

can you get that done? Its Urgent and I want you to keep the physical card safe with you cos I will get them from you later.

Once the scammer has the card codes they can take the money from the cards, even without physical access to the cards.

More information about phishing is available at