Information Security

Phishing & Other Security Questions

Phishing is one of the most popular methods employed by scammers to obtain your sensitive information. 

You are a partner in preventing cyber crime by following these practices when receiving any message or notification:

 Reject unknown login attempts using 2-Step/Multi-factor authentication: Duo puts you in control of access to your BroncoAccount; if you receive a login attempt that you didn’t request, reject it. If you have questions or concerns about access to your BroncoAccount, contact the IT Service Desk.

  • Cal Poly Pomona (CPP) staff, faculty or service providers will never ask you to authorize a Duo request.
  • Think before you click: Don't click on links; always visit reputable websites directly. Successful cyber attacks often start with an urgent phishing email, message, notification, or call, impersonating real people or organizations to offer money for job opportunities, ask for donations, or spread misinformation. Reputable organizations should not contact you to take immediate action. A message could be a scam if:
    • An offer sounds too good to be true.
    • The message is unsolicited or unexpected.
    • A package delivery, even if you’re expecting one.
    • The sender doesn’t typically contact you using that particular method, service, or platform.
    • The sender or organization doesn’t typically contact you on evenings, weekends, or holidays.
  • Secure your logins and passwords: Never share passwords, create long and unique passwords for all accounts, including your BroncoAccount, banking, and online shopping, and use two-factor authentication wherever possible. When in doubt, change your password immediately by visiting the website directly.
  • Research any request for a donation: Do not let anyone rush you into a financial transaction. Never provide cash, gift cards, or wire funds. 
  • Keep software updated: Ensure that your personal and home devices install software updates automatically. CPP devices, software, and services managed by IT, and we will never contact you to request access to your account or device.
  • Report suspicious emails to and mark them as Phishing using Microsoft 365*.
    • Recent phishing messages impersonate CPP employees, job opportunities, invoices, payments, gifts, financial aid, Microsoft and other software services, political action groups, package deliveries, and government agencies or services. These messages, typically ask you to use a personal email and phone and to contact a non-CPP address, allowing them to avoid campus network security.
    • *To report a Phishing attempt to Microsoft from your inbox, select the arrow next to [Junk] and select [Phishing].

 Indications of a Phishing Scam:

  • Is the sender claiming to be someone official (e.g., your bank, doctor, professor, university staff, a lawyer, or a government employee or agency?) Criminals often pretend to be important people or organizations expecting you to supply information or take an action.
  • Are you told you have a limited response time (e.g., in 24 hours or immediately?) Criminals often threaten you with fines, loss off services, imprisonment, and other negative consequences.
  • Does the message make you anxious, fearful, or curious? Criminals often use threatening language, false claims, or tease you into wanting to find out more.
  • Is the message offering something in short supply (e.g., concert tickets, money, or a cure for medical conditions?) Scammers can make you think you might miss out on an opportunity to entice you to respond quickly.
  • The email, text, subject line, or content looks unusual or not typical for your friend, colleague, university, organization, or business to send and just not sound or read like them.
  • The message may contain spelling or unusual grammar.
  • The message could use overly vague or over-use professional jargon to appear legitimate.

 What should I do if I receive a suspicious message: 

  • Never correspond or forward the message other than reporting it to or authorities. Communicating with cyber criminals verifies a successful connection and makes you a target for attempts in the future.
  • Change your CPP password immediately if you reply to a suspicious or fraudulent message.
  • Never click on links or provide personal or confidential information. Change your CPP password immediately if you click on any links or interact with a suspicious or fraudulent website. Check the URL, phishing websites designed to look like the legitimate website.
  • In most cases, you can safely delete the message if you have not replied or clicked on any links.
  • Call the IT Service Desk or related campus administrative office to evaluate your campus accounts and determine if they are compromised.
  • Contact the University Police at 909-869-3070 if you have been a victim of fraud.


A “spoofed” email  is the forgery of an email sender so that the message appears to be sent by someone familiar instead of a perpetrator. Email “spoofing” is used by phishing and spam perpetrators to trick someone into opening the message by thinking it is from someone familiar. 

In these cases, the IT Service Desk advises those being spoofed to notify their common contacts that they are being “spoofed” and be diligence when receiving emails from them with careful inspection. 

Contact the IT Service Desk if you are unsure about the security of their account.

The best course of action is not to respond. 

 Next report it to your carrier – There is typically a “Report Junk” or other option provided by the carrier to report and block messages from the sending number.  Note- it doesn’t prevent other smishing from another sender.