Text Size
Increase text size
Increase text size

Phishing Attack Information for State Employees

The information below is designed to help State of Colorado employees avoid phishing attacks that target state government and what to do if they become a victim.


What is a Phishing Attack?

Phishing, or Password Harvesting Fishing, is a social engineering attack that attempts to trick you into revealing your username and password with an email message. A common form of Phishing attack is an email pretending to be from a trusted site such as a bank, online retailer, or software company. The attacker's goal is to get you to click on a link within the email body. The messages are designed to look identical to a legitimate message you might receive from a trusted source.


Once the recipient of the email clicks on the link, they are taken to a web site that the attacker has set up to mimic a site the recipient trusts. If the site is convincing enough, the victim may enter their username and password allowing the attacker to gain full access to the victim's account on that site. If a victim also reveals their online banking credentials, an attacker could access that bank account and would be able to withdraw funds or conduct other mischievous or malicious acts.


Phishing attacks are generally thought of as emails containing links, however, they may also have attachments that, if opened, may have malicious code embedded in them.


What Can I do to Prevent Phishing Attacks?

The Colorado Office of Information Security takes the protection of the State's electronic data seriously and that includes making sure state employees know that by following best email use practices, you are also helping to keep electronic data protected.


Never click on links in email or instant messages that you didn't expect. Never open attachments from unknown email addresses or that appear suspicious, and do not open personal email on workstations that have access to Restricted or Confidential information such as Protected Health Information (PHI).


Note that a trusted source will never ask for your password or personal information.


What if I have questions or believe I may have been the victim of a phishing attack?

If you have questions about Phishing or email best practices, contact your Service Desk.