Security :: Information Security Office

Printer-friendly version

Keeping Campus Information Secure

Humboldt State University's Information Security Team works with the campus community to secure system and network resources and to protect the confidentiality of student, faculty, and staff information.

We collaborate with other ITS teams to manage account access control, establish policies, procedures and guidelines, and track, coordinate and mitigate responses to security incidents.




(In)security of Cloud-connected Password Managers

In light of recent mass breaches of cloud-based password managers, we are withdrawing our recommendation of LastPass and will be updating the ITS website accordingly. We now advise users to consider instead password managers with local storage, such as


Keepass (or KeepassX)

Learn more about what can go wrong with cloud-based password managers:


Fake Home Based Logistics Supervisor Job Offers

Please be aware that scammers are once again sending out fake job offers to earn money from home. The pitch this time is hiring for "Logistics Supervisor" positions to "manage the receipt and dispatch of packages and to customers using receipt of prepaid package labels", or something similar. Compensation is offered at $2,550 during the first "trial" month, with a promise of $3,250 per month thereafter. Benefits like healthcare, dental, vacation, and personal time off are usually offered to make the offer sound more plausible. Typically, the company name is "A.S. Company" or something similar, and the emails are primarily coming from compromised accounts in European countries, including Italy (.it) and Ireland (.ie). The email typically requests an interview and asks for your name and surname,as well as your cellphone number.

If you receive this kind of "offer", please do not respond, but instead flag the message as Spam. You can read more about this type of scam in this article (the company name is different, but it's the same scheme).

Please always remember:  If something sounds too good to be true, it usually is.


Reporting Phishing Emails to the Information Security Office

You may have noticed a significant uptick in spam emails recently. There has been a rash of the bad guys sending unsolicited fake "invoices" or trying to get you to open (virus-infected) email attachments. Most of these emails are successfully categorized as spam and go straight to your junk mail folder, but sometimes a scam passes undetected through both Google's and HSU's spam filters. When these emails attempt to get you to give up your HSU credentials either by replying to the email or by filling out an online form, this is called phishing - and here's a recent example:

A couple of weeks ago, a few hundred emails were sent to HSU recipients from a compromised Estonian University email account, asking the recipients to reply with their HSU account, and password.  The email looked like this:

Dear Humboldt Webmail User,
 Our postmaster has recognized that 6 incoming mails was blocked for your mailbox, and you need to verify your webmail within 24 hours. For verification, send us the below information's.

User ID:
Confirm Password:

IT Service Desk

One alert staff member acted fast, and forwarded this phishing email to the Information Security Office (Thank you, Shannon!). That quick action allowed us to respond immediately by blocking further identical emails and creating a report showing who responded to the sender with the requested information. It is important for ITS to quickly identify account holders who provide their HSU credentials to anyone over the Internet. And even though this scam looked rather obvious to many, the HSU Information Security office identified and locked 30 (yes, thirty) student accounts that day!

Had these accounts not been identified and blocked in a timely fashion, the criminals behind this scam would have been able to send out thousands of additional emails to campus accounts using any of the valid email addresses they'd been able to acquire. Typically, such "second wave" emails are crafted to look like they come from Payroll or Human Resources and ask recipients to fill out a bogus "tax" or "Government" form that coincidentally includes the user's SSN, birthday, name, address, etc.

This is why we are always telling you to Think Before You Click!

HSU ITS will NEVER ask you for your password, either by email, phone, or online form. Any email or online form that asks you to provide your HSU credentials is fraudulent. If you get a "phishy" looking email that asks for such personal information, please forward it to and call the Information Security Office at extension 3815.  Please don't put it off - time can be of the essence.


Spam/Junk Email

If you receive emails labeled as Spam or Junk, chances are it's been done for a very good reason, either by Gmail (Google) or by the HSU Information Security Office. Please bear the following in mind when reviewing items in your Spam or Junk folder: 

  1. Do not open any of these messages, even if you recognize the sender's name. Any email labeled as Spam/Junk may be malicious; for example, it could be a spoofed message from someone posing as somebody you know that's designed to get you to open a malware attachment.
  2. Never open an attachment sent by anyone you don't know, especially if their email ends up in your Junk mail (or is labeled as Spam). It doesn't matter what kind of file it is - we've seen infections spread through invoices, scanned documents, ZIP files, Word documents, PDF files, and more. 
  3. Never respond to emails or request forms that ask you to enter your HSU credentials for ANY reason. ITS will never ask you for your password. Any such emails are fraudulent and have been sent by someone trying to either hijack your email account or infect your computer with malware, ransomware, etc.
  4. Be careful when opening ANY email attachments and do not rely solely on your antivirus software to keep you safe. No antivirus program can know about or block all malware.

While Google is getting better at identifying malware attachments and labeling fraudulent emails as Junk/Spam, the security of your computer and your email account depends on your vigilance in following basic security guidelines; there are no silver bullets, and bad email attachments can make it through without being caught.

Read more about email security at:

You may also be interested in subscribing to the Federal government's Security Alert newsletters at:


Uninstall Apple Quicktime for Windows - April 2016

Apple confirmed in mid April 2016 that they will no longer provide security updates for their Quicktime for Windows software. Two Zero Day vulnerabilities for Quicktime have been reported since the announcement, prompting the Department of Homeland Security to issue advisories to uninstall Quicktime for Windows. You can read more about this issue on the US CERT website.

Read Apple's End-of-Support announcement

Take care when using anonymizing services

Anonymizing services like TOR, cyber Ghost, and others are becoming increasingly popular as we live more and more of our lives online. While you may have many reasons to be concerned about your online activity being tracked, you also incur some real risks when you use such services to access your HSU accounts.

Logging into a password-protected online resource that's tied to your real name through an anonymizing service undermines your anonymity. No matter whether that resource is HSU, another government agency, or a commercial Internet service, have no doubt that a valid law enforcement request for the identity of the person who logged in from a given internet address at a given time will be answered.

Anonymizing services also have an impact on how we combat phishing attacks. When a known compromised account logs in to the HSU networks from a given IP address, we watch for other user names logging in from that IP address and lock those accounts. The criminals behind phishing scams are starting to use anonymizing proxy services, and so there is a strong risk you'll get caught up in that whole mess and end up with a locked account.

If you want use these services at home on your personal devices, that's fine. But please don't mix them with your school or work activities - you'll actually undermine the anonymity you're trying to preserve and put yourself at risk.

Compromised accounts 

The HSU Information Security Team has a new procedure to streamline the restoration of compromised accounts. If you find that your account has been locked, contact the Technology Help Desk at 707-826-HELP (4357). They will help regain access to your account and reset your password and security questions if necessary. 

To unlock your Gmail account, you're required to take a short online training course Your account will be unlocked about an hour after the course has been completed. 

Phishing & Spam - Don't be a Victim

We urge you to not click on any links, graphics, or ads in emails you weren't expecting or otherwise don't recognize. If you do so by accident, please reset your HSU password and security questions immediately and report the message as spam or phishing. Here's how to do this in Gmail:

Graphic of Gmail how to add email to phishing filter

If you use Outlook as your email client, click on the Junk button in the toolbar (it’s usually towards the left) and choose Block Sender. 

If you discover you are the inadvertent sender of those emails, this usually means that your account has already been compromised. Please contact the Technology Help Desk at (707) 826-HELP (4357) immediately.

Here’s a list of the most recent spams and phishes we’ve seen. 


October 2014 - Emails reported:

  • Eureka Police Department press release 10/29/2014 warns of email scam requesting cash donations for kidney transplants using local church email address and administrative assistant names.
  • Email reported 10/8/2014: Subject: Security Information...Due to the strengthening our security system and improving your mailing experience, We have detected your mail settings...

September 2014 - Emails and phone scams reported:

August 2014 - Emails reported: 


      Re-Validate- < Click Here>
    • Your E-File Form Updated
      It's Quick, Easy and Secure, Kindly click on the link below to update your IRS E-file.



Report an Incident

By email (24/7):

By phone (daytime): (707) 826-3815

By phone (after hours): (707) 826-5555 (University Police Department)

For non-urgent information security concerns, please click on the appropriate email address below to send a message to the information security team:

Physical safety issues, including cyberstalking and cyberbullying, should be reported to the HSU Police Department by calling 911 or 5555 from any campus phone.