Staying vigilant against phishing

Overview
Real examples of phishing at USC
Warning signs to look for
Beyond phishing: vishing, smishing, and quishing
Verifying a call from IT
Additional resources

Overview

Scammers and cybercriminals may attempt to trick you into giving away your personal and USC data. For example, you may receive an email that appears from a legitimate source and asks you to click a link or download an attachment. This type of scam is known as phishing, and in this guide we explain how to be on the lookout for them.

Received a suspicious email?

Do not click on suspicious links or attachments: instead, use the Report Phish button available on all USC Outlook and Gmail accounts or forward the email to phishing@usc.edu.

If you believe you have fallen for a phishing scam, email security@usc.edu or call the ITS 24/7 support line at 213-740-5555. If you believe your USC NetID has been compromised, you can immediately change your passphrase for safety:

Change your password

Real examples of phishing at USC

The USC Office of Cybersecurity publishes a curated collection of phishing examples and advice for staying vigilant:

Catch of the Week

Some real phishing examples at USC:

Warning signs to look for

These are some common indications that an email may be a phishing attempt:

An urgent action request that threatens negative consequences—or an enticing offer
A sender address that doesn't look quite right (for example, the email claims to be from a USC office, but the sender address is usc@legitcompany.com instead of @usc.edu)
A request for login credentials, payment information, or confidential data

Examples of phishy subject lines or demands:

"URGENT: Action Required Immediately"
"Invoice due"
"Please verify your address for delivery"

A note about AI

Due to the increasing use of AI tools, phishing emails are becoming increasingly sophisticated, whether it's something as simple as fewer typos or grammatical errors than you're used to seeing from phishing emails in the past, or something more advanced, such as an increased level of personalization.

Beyond phishing: vishing, smishing, and quishing

In addition to phishing, cybercriminals may employ methods such as vishing (scam phone calls), smishing (scam text messages), and quishing (scam QR codes).

In the case of vishing and smishing, the warning signs are similar to those of phishing:

An urgent action request that threatens negative consequences—or an enticing offer
An unknown or unverified number
An unfamiliar or generic greeting
A request for login credentials, payment information, or confidential data

In the case of quishing, QR codes can appear within the text of an email or on signage displayed on screens or posters. Some warning signs are:

QR codes emailed to you from unknown senders
QR codes that lead to login pages or request payment information
QR stickers overlaid on legitimate signage, or signs of tampering on the QR code

A note about AI and deepfakes

Scammers may try to convince you to provide USC information or give them remote access to your computer. They are using sophisticated techniques such as:

Using personally identifiable information (PII), which they may have purchased, to further their efforts to gain access or information
Using generative AI to impersonate, mimic, or obfuscate their voice identity
Using the names of actual staff members to sound like an authorized person

Verifying a call from IT

USC staff will never request confidential information or passwords via email, phone call, or any other method, and will never pressure you if you express doubt or want to verify an identity. For example, neither DTS nor ITS will call you unprompted and ask you to install remote troubleshooting software for computer updates.

Contact DTS or ITS to verify

If you receive a suspicious call claiming to be from IT or from the Help Desk, hang up and call the official numbers to verify the call's legitimacy:

DTS Help Desk: 213-740-2775, available weekdays from 9am–5pm
ITS Help Desk: 213-740-5555, available 24/7

Additional resources

The following resources were consulted for this guide, and may be useful if you would like to learn more. You will need to log in with your USC NetID for access:

Recorded webinar

Do Your Part, Be Cybersmart by IANS Faculty Nicole Dove (2024)

This excellent 45-minute webinar discusses phishing and QR phishing, with a focus on how generative AI and deepfakes have increased the sophistication of these attacks. It also discusses why managers and long-time employees are more often targeted by these attacks than individual contributors and new hires.

Guides from the USC Office of Cybersecurity

Phishing for Access: How Credential Harvesting Threatens Higher Ed (highly recommended)
Phishing, Fake Chatbots, and Deepfakes: How Cybercriminals Use AI to Trick You (highly recommended)
Phishing Red Flags and Email Security
Phishing FAQ
The Importance of Staying Vigilant
QR Code Phishing
How Hackers Use Multi-URL QR Codes

Trainings

TrojanLearn hosts USC's information security courses, including Email Security training and Social Engineering training.

You can also find the TrojanSecure Shorts on TrojanLearn: this series of brief videos reviews different forms of phishing, including themed phishing, social media phishing, and spearphishing.