New email warning tags now show on many USC-affiliated emails after a large security flaw was discovered Oct. 18.

In a communitywide email Oct. 21, Information Technology Services acknowledged the warning tags but stated they were a product of Cybersecurity Awareness Month. 

“In that spirit, we are making it easier to spot a potentially malicious email,” they wrote. 

Daily headlines, sent straight to your inbox.

Subscribe to our newsletter to keep up with the latest at and around USC.

ITS said various warning tags will show depending on the email’s sender and recipient, and confirmed that emails from outside the University may be flagged. 

The ITS email, ironically, was flagged as potentially suspicious because it was sent using an external email service. The system also flags any emails from non-USC addresses as suspicious, including Handshake and Mailchimp. Additionally, it flags emails from University-sponsored sources such as the Career Center. 

Other banners may appear depending on the email. Messages include “someone may be impersonating the sender” and “you have not previously corresponded with this sender.” In certain cases, emails come with multiple warnings. 

Several days earlier on Oct. 18, “Morning, Trojan,” a digital newsletter for USC students, uncovered a security issue that allows individuals to spoof USC accounts. Spoofing means disguising oneself as a trusted individual to access sensitive information. 

“Morning, Trojan” was able to verify that various administrators can be spoofed, including President Carol Folt and Provost Andrew Guzman. 

In all cases, the sender’s address and profile photos were impersonated, making the spoofed account virtually unidentifiable from the real account. 

In certain cases, these emails would be marked as potential spam, but in all tested cases arrived in a recipient’s primary mailbox. A pattern based on administrative level was not apparent. For instance, some of Provost Guzman’s spoofed emails were marked as spam, but mail from President Folt’s spoofed account was not. 

Tomoki Chien, one of the authors of the “Morning, Trojan” article, spoke with the Daily Trojan about the new email banners and said he disapproved of the security method.

“The banners are now flagging … things that are completely innocuous,” said Chien, a junior majoring in journalism. “[If anything] actually malicious were to land in your inbox, there is a lower chance that you will pay attention to that banner.” 

Chien said “Morning, Trojan” reporters discovered the spoofing issue Friday, Oct. 18, and ITS was made aware of the problem that morning. The Universitywide email announcing new email banners was sent Oct. 21, but banners appeared the weekend prior. 

In a statement to the Daily Trojan Oct. 28, ITS wrote they were aware of the spoofing issue and were actively working to resolve it. 

“We were alerted to an email security concern and immediately engaged our information technology and cybersecurity teams, along with industry-leading partners,” ITS wrote. They did not comment on their progress toward resolving the problem, or whether the email banners were a result of the security concern. 

ITS’s issues are not unique to USC. Many universities use outdated systems and email servers because an overhaul is resource- and time-intensive. 

USC uses Simple Mail Transfer Protocol, which allows anyone on the internet to send emails to USC affiliates, not just those within the USC organization. However, its ease of access makes it accessible to spammers and spoofers. In modern times, SMTP’s security is often improved through filtering and security policies implemented by an organization. 

Perhaps the most well-known example of an outdated system at USC is the Student Information System, which many students know as OASIS.

OASIS manages an enormous amount of student information, ranging from enrollment status to financial transactions. Because of its age, OASIS’ appearance is dated.  However, the size and scope of such a system means overhauling it and fixing issues is a monumental task. This could necessitate portions of the system being offline for days or weeks. 

Anya Jimenez, a junior majoring in writing for screen and television, said the new email banners will help the University community. 

“Part of the way to fight [scammers and spoofers] is just making students and faculty … aware that there is a possibility for hacking and scams,” Jimenez said. 

USC informs students about cybersecurity, ranging from courses in the Information Technology Program to emails from the Department of Public Safety warning about scams. However, issues such as spoofing serve as a reminder that people must express caution online, even when communications appear legitimate. 

To Chien, the biggest surprise was how easily emails could be impersonated, with individuals needing only a computer and basic cybersecurity knowledge. 

“You could spoof from a home network,” Chien said. “You don’t need a compromised email address … anybody can do it.” 

Tomoki Chien was previously a photo editor at the Daily Trojan. Chien is no longer affiliated with the paper.