8 Sac State faculty accounts compromised in phishing attack

Scammers are offering $250 per week to put an ad on your… motorcycle.


Rahul Lal

Graphic by Rahul Lal.

Kylie Robison

Eight Sacramento State faculty accounts were accessed by scammers in a phishing attack this week, and at least one account was used to send further phishing emails to students, according to Sac State Information Resources and Technology officials. 

Phishing scams are attempts to gain access to a victim’s email account in order to send malicious links, which upon clicking, further expose personal information such as credit card information and passwords.

No student accounts were compromised in this breach. 

One of the phishing victims, art professor Elaine O’Brien, said she got an email that appeared to be from the art department chair, and a document for faculty evaluations. 

“I’m serving on the faculty advancement and retention committee this semester and assumed it had to do with that, so I clicked on the file,” O’Brien said via email. “It went to OneDrive, but the file wasn’t there.” 

O’Brien didn’t think much of it until many students inquired about a job posting she emailed out. 

Story continues below screenshot. 

“I forwarded the email to IRT using the phishing button on Outlook,” O’Brien said. “They got back to me immediately that they would investigate it, and within a few hours, informed me that my account had been compromised.” 

Soon after Sac State IRT informed O’Brien, she contacted the department chair, and IRT sent out a notice to the university community shortly thereafter.

Sac State’s IRT department has several tools to prevent and mitigate phishing, including its awareness program that sends non-malicious phishing links to students in order to remind them of the dangers of these cyber-attacks. This semester, a “Report Phishing” button is in faculty and students’ Outlook toolbars, one of the many ways the school is working to protect SacLink accounts.

In addition, students will be required to sign up with Duo, a multi-factor authentication tool that creates a unique, one-time code that must be used along with a user’s password to sign in to SacLink. 

More than half of the student population is currently protected by Duo, according to Marc Fox, the senior director for enterprise systems. All students will be required to sign up for Duo before Oct. 5.

Sac State is not new to these sorts of attacks since they are regular occurrences that IRT must mitigate. Despite IRT’s efforts, some attempts prove to be successful. 

“Students should be aware that these emails are the first phase of an advance fee fraud/part-time employment scam,” Fox said. 

This type of scam can be broken into several steps. First, the perpetrator attempts to obtain the victim’s personal email address, phone number, and mailing address. 

Once that information is obtained, a cashier’s check is often mailed to the victim, and upon deposit, the scammer requests a gift card to be sent with the funds provided. The check will bounce, and the money will be withdrawn from the victim’s personal funds.  

Phishing emails are designed to look authentic, so understanding the signs of phishing emails is important, especially since attacks can appear to be emails from professors and peers. 

For example, if the email does not address you directly, it could be a phishing scam. “Dear User,” or “Hello there,” are often used instead of your name. Sometimes the email’s display name will show up as “Apple Support,” but the email address is a series of random numbers and characters.

These attacks often have grammatical, spelling and logical errors as well. In the phishing email attack this week, the scammers promised money for displaying an advertisement “on their Car” with a miscapitalization, but then later said using a motorcycle is also OK, despite the fact placing an ad on a motorcycle would be difficult and ineffective.

RELATED: Recognize scams: 8 pitiful phishing attempts sent to Sac State students

Links in emails, online ads, texts and social media posts are an easy way for these criminals to attack your device. Sac State IRT’s advice is “when in doubt, throw it out,” and don’t trust links.

Additional reporting by Robbie Pierce.