This content is viewable by Everyone


Use Phish Alarm to Report Potential Phishing Emails and Contact the IT Service Desk or UCSF Police for Other Security Incidents

IT security incidents can originate almost anywhere in our organization due to the myriad of methods criminals can use to steal and disrupt UC Institutional Information and IT Resources.  However, most cyberattacks now start with a phishing message. According to Security Magazine, it is estimated that 80-95% of attacks begin with phishing.

To help protect UCSF, our policies require all end users and system owners to report any incidents to the appropriate unit to begin an incident investigation. Timely reporting of an incident is essential not only to containment but also to minimizing the potential work disruption and associated costs. 

What you need to do:

When you think you may have witnessed something that looks suspicious or may be a crime, report it.  If it is in the form of an email, always use the Phish Alarm button to report it.

You cannot over report! UCSF IT Security analytics can quickly determine what type of email it is and get back to you. If it is a real phish, we can quickly block it from harming others. Also, this information feeds the knowledge base that helps accurately analyze other phish and stop them from doing harm.

For more information on Phish Alarm, please visit the Phish Alarm Service Page.

For everything else, what you need to do:

Be ready to provide specifics such as date/time of loss, type of device, contact information, and any specific information that you believe indicates that a device was breached, a computer security incident occurred, or a device was lost or stolen.

UCSF incident response procedures call for documenting, tracking, and resolution of all information security incidents.

If you administer UCSF devices, systems, or applications, one of your key responsibilities is to regularly monitor them for threats or unusual behavior. There is an extensive array of threats to UCSF data and systems, and monitoring data can be crucial to detecting and containing attacks.

If you suspect a system has been compromised or is being attacked, report the incident immediately to:

UCSF IT Service Desk – Available 24/7

All lost or stolen computing devices (including smartphones, tablets, and external drives) must be immediately reported to the UCSF Police at:

Please take the Incident Response Quiz. Everyone who passes is entered in a drawing for one of six $50 Amazon gift cards.

Additional Information

National Counterintelligence and Security Center Defense Security Service (DSS) on Academic Solicitation

UCSF Incident Investigation Procedures

UCOP Incident Response Standard

UCSF Security Incident Response & Investigation

UCSF 650-16 Addendum C - UCSF Incident Investigation

UCSF Best Practices for Application and Website Security

DHS See Something - Say Something

Between 80 and 95% of cyberattacks begin with phishing