​                

How can I avoid phishing attacks?

Phishing messages are becoming more targeted, sophisticated and even harder to recognize.

Look for signs of phishing

These include emails with suspicious links or attachments, plus:

Instant messages or phone calls with an urgent tone – They ask you to reveal your account password or other confidential information and hope you won't stop to think about it.

An unofficial or unusual "From" address – This is a sender's email address that is similar to, but not the same as, an official company email address.
​​​
A message marked with "Urgent action required" – Phishing often includes urgent "calls to action" to try to get you to react immediately.
​​​​​​
A generic greeting – Fraudsters who send thousands of phishing emails at one time may have your email address but they will seldom have your name.

A link to a fake website – This is designed to trick you into disclosing your username and password. Phishing emails usually include a link to a fraudulent website that is formatted to look similar to the sign-in page of a legitimate website.

Actions to minimize your vulnerability to phishing

1. If you receive a phishing email, click on the Phish Alarm Button to report it.  
    
2. Report successful phishing. If you click on a phishing link or receive a phone call and then provide your username and password, immediately change your password and call the IT Service Desk at 415-514-4100 to report that your account has been compromised. (If needed, the Service Desk can help you change your password.)
    
3. Protect your computer with a firewall and anti-virus software. Always ensure that your anti-virus software is active and up to date. UCSF provides Symantec Endpoint Protection (which includes firewall and anti-virus software) for free at https://software.ucsf.edu.
    
4. Do not click on links in emails, and never go to websites by clicking links in emails. This is because such a link may direct you to a fraudulent website. Instead, if you frequently visit the website the phisher is mimicking, always type the correct URL directly into your browser, or use a bookmark to access it.
    
5. Communicate personal information only via phone or secure websites. However, do not divulge any personal information over the phone unless you initiated the call.
    
6. Periodically check your account details. It’s good practice to review your bank, credit or other important accounts periodically. Do this to check for any irregularities in online transactions and any recent logins or changes to your contact information.