Phishing: Don’t Take the Bait!

Phishing is a common type of scam used to elicit confidential information. Most often, phishing comes in the form of an email appearing to be sent from a trustworthy company or person and contains malicious links, requests for information, or harmful attachments.

Remember, if an email seems suspicious, do not reply to the sender and do not click on any links or attachments within the message.

If you see something, say something. Send any suspicious message as an email attachment to USC’s Information Security Team at phishing@usc.edu for review. (For instructions on how to send emails as attachments visit https://it-security.usc.edu/2013/07/19/reporting-a-phishing-email).

What to watch for:

1. Urgent action requests that threaten negative consequences

2. Bad grammar and spelling mistakes

3. An unfamiliar or generic greeting

4. Inconsistencies in email addresses, links, and/or domain names

  • A sender email address that does not match who the email claims to be from (e.g., an email posing as a USC staff member sent from USC@gmail.com instead of example@usc.edu)
  • Links that do not go to the URL they advertise (e.g., an email posing as Amazon but using the URL www.Am-azon.com)

5. Suspicious links or attachments

  • Unexpected attachments
  • Attachments with two file extensions (ex. Attachment.pdf.zip)
  • Attachments with file extensions that do not match the function (e.g., the attachment is named Attachment.exe but the file should be a PDF)
  • Documents that require macros to be enabled
    • The use of macros is a common business practice; be 100% positive of validity before enabling
  • Links that automatically download a file

6. Request for login credentials, payment information, or confidential data

  • Links to password reset/login pages
    • Remember: USC will never request confidential information or passwords via email

7. Unexpected Emails

  • E.g., an email from UPS regarding package delivery when you are not expecting any packages

8. Too-good-to-be-true emails

  • The message will incentivize you to click on a link or open an attachment to get some reward

If you believe you have fallen for a phishing scam, contact security@usc.edu immediately.

For information on the latest phishing attempts reported at USC, visit the ITS Information Security blog at it-security.usc.edu.