ITS warns students of phishing scams in email


By
 in

Beginning the morning of April 18, a total of 2,784 phishing messages were delivered to members of the USC community.

An email claiming to be from “USC Admin” asked students, faculty and staff to verify their USC credentials. The email included a link which led them to a form that asked people to input their USC username and password.

“While the message included several common indicators of a phishing email, such as the low-resolution graphics, grammatical errors and a generic salutation, it was believable enough to prompt us to warn students so that they would not become victims,” said David Shaw, the chief information security officer, in an email to the Daily Trojan.

ITS resolved the issue by working with their email protection vendor, Proofpoint, to block the link in the email.

“Anyone who clicked on the link would see a warning message indicating that the link had been blocked due to malicious content, and would not be able to access the site,” Shaw said. “In addition, we sent an email to students and placed alerts on both the ITS Security Blog and the ITS homepage.”

The identity of the originator, however, could not be found. According to Shaw, because phishing is a widespread problem that all organizations deal with, it is easy for perpetrators to cover their tracks, making it extremely difficult to track the senders. The originators of the phishing emails often attempt to acquire students’ basic information such as student usernames and passwords to ultimately infiltrate into the internal system.

“In many cases, the authors of phishing emails are only after user credentials,” Shaw said. “They can then use these compromised credentials to access a company’s internal systems or the victim’s personal information. The goal of phishing campaigns are not always the same and are not always readily apparent.”

Regardless of the recent incident, many students believed that the University and their email providers do a good job in terms of warning users about potential phishing attempts.

“Other than the warning emails USC sends us, I have not experienced nor heard of anyone else that has had issues with phishing,” said Michelle Huber, a junior majoring in environmental studies. “For my email, the phishing emails must be going directly into ‘Spam.’ I never check my spam email, but I have never gotten a phishing email.”

Hannah Bosnian, a freshman majoring in animation, had a similar reaction, saying she thinks the University does a good job warning students about potentially malicious emails.

“I have never had any experience with it. I just received warnings for them,” Bosnian said. “The only thing I did see was that Gmail has warnings for all the ‘dear sirs/madam’ emails. Google would, however, give me phishing warnings.”

However, some students have experienced phishing incidents as ITS said. Madison Norton, a junior majoring in biological sciences and psychology, got the email, but luckily did not provide any information because the sender was not an accredited website.

“I got an email requesting all my school information, like my ID number, from a website claiming that they are an honor society,” Norton said. “But it was not an accredited website, so I did not provide them my information.”

Shaw urged students to practice key email security practices actively in order to avoid becoming the victims of the phishing. He urged students to be suspicious of any message asking them to log into their accounts before they lose access, to type URLs directly into the browser rather than clicking links in emails in order to avoid visiting malicious or fake websites and to change their USC NetID password as soon students have received a phishing attempt.

“Remember that ITS will never ask you for your password in an email or over the phone,” Shaw said.