Story provided by Agency Information Security Office

Many organizations such as CDCR are being targeted with phishing attacks by malicious hackers.  The goal of these hackers, or “bad guys,” is to conduct malicious activity such as scamming, hacking and stealing information such as your passwords and the data you normally work with.

This activity is often conducted using a social engineering tactic called phishing. These bad guys will typically create fake emails to appear to come from someone you trust, such as IT staff, helpdesk, banks, other agencies or a popular website. These emails attempt to trick you into giving away information such as your username, passwords, or any type of sensitive information.

They may also try to get you to inadvertently install malicious programs onto your computer, which can happen when you click on an infected attachment. Once infected, the bad guys can monitor all of your activity, including all of your keystrokes.

According to, over 500 million phishing emails are sent each day worldwide and they are effective. Every 60 seconds, 250 computers are hacked. These kinds of attacks cost organizations $388 billion a year in stolen sensitive and confidential information.

When you are using computer systems, CDCR asks for your help in securing our organization by exercising extreme caution and following these safety tips:

What to look for to identify phishing emails

  1. Emails sent from outside (non-CDCR addresses) or unsolicited senders.
  2. Contains unsolicited attachments you did not expect.
  3. Generic greetings.
  4. Spelling and grammar mistakes.
  5. Links to unrecognized websites or slightly misspelled websites.
  6. Threats or enticements that create a sense of urgency.
  7. Toll-free numbers in suspicious emails that do not match known numbers.

What to do

  1. Never give out personal or sensitive information based on an email request.
  2. Don’t trust links or attachments in unsolicited emails.
  3. Hover over links in email messages to verify a link’s actual destination, even if the link comes from a trusted source.
  4. Type in website addresses, rather than using links from unsolicited emails.
  5. Be suspicious of phone numbers in emails. Use the phone number found in a trusted directory.
  6. Reporting suspicious activity and/or emails to the Information Security Office through your local IT Staff.

Tips on Passwords

Some phishing emails may target you in order to steal your password.

  1. Never share your password with “any” individual regardless of who they are.
  2. This includes IT Staff, your superiors, directors, managers/supervisors, etc. Categorically nobody should know your password.
  3. If you think you may have inadvertently shared your password, please change it immediately. In addition, please report it to the Information Security Office through your local IT Staff. We realize that we all make mistakes and fall for these phishing attacks.
  4. Never use a password at work that you use outside of work.
  5. Often times, the “bad guys” will try to hack other websites to steal passwords and then use those passwords to try to log into other systems.
  6. Use complex passwords. A good way to create a complex password is to use a passphrase such as a sentence. A passphrase is more secure because it’s a long password and easy to remember.

Our organization and staff are no exception to being a target. We ask you to be cautious and suspicious of any activity with computer systems targeting you and your accounts. We realize as part of normal human behavior we all may fall for some of these social engineering tricks. When that happens, we are asking you in partnering with us by reporting suspicious activity so that we can stop the “bad guys” and better secure your and CDCR’s information as much as possible.


See an informational graphic on the subject: