Spear Phishing Email Warning

Spear phishing emails are customized messages sent to specific individuals that appear to come from a trusted source, such as the CDE. These emails are sent by malicious actors who want to steal your sensitive information, such as passwords, bank account, or personal data. These emails may contain links to fake websites that look like the CDE's official site, or attachments that contain malware that can infect your computer or network. If you receive such an email, do not click on any links, or open any attachments, and report the email to your information technology department immediately.

Please be aware that all emails from the CDE will have a domain of @cde.ca.gov, and the primary CDE public website has a web address of www.cde.ca.gov.

Spear Phishing Email Example

The display name of the sender reads “California Department of Education,” but the From address includes @icloud.com instead of @cde.ca.gov. The email body contains personalized details, making it appear legitimate, and creates urgency by saying it will "expire after 24 hours," which is a common phishing tactic. Furthermore, when hovering over the "CLICK HERE TO UPDATE..." button/link, the destination web address does not include .cde.ca.gov.

If the “CLICK HERE TO UPDATE..” button is selected, the user is directed to a web page that looks like the home page for the CDE’s public website. The web page automatically displays a modal window that asks for sensitive personal information.

However, by inspecting the information in the web address section of the web browser, the user will notice the domain name ends in pantheonsite.io (instead of cde.ca.gov).

Additional Resources

• Cybersecurity and Infrastructure Security Agency: Recognize and Report Phishing
• National Cybersecurity Alliance: Cybercriminals like to go phishing, but you don’t have to take the bait