Phishing is the most common entry point for serious cybersecurity incidents at universities — more than 90% of data breaches start with a phishing email. Attackers send messages that look like they come from a trusted source (Pitt, a vendor, a colleague, your bank) to trick you into clicking a malicious link, opening a harmful attachment, or handing over your credentials. This article describes what phishing looks like, how to spot it, and the preferred ways to report it so Pitt Digital Security can protect everyone else who received the same campaign.
If a message feels off, don't engage with it. Don't reply, don't select links, don't open attachments, don't forward it to friends to ask their opinion. Report it through the KnowBe4 Phish Alert Button (PAB) in Outlook — that single action sends the message to Pitt Digital Security with the metadata they need, and removes it from your inbox so you can't act on it later by mistake.
How Phishing Works
A phishing email is a fraudulent message designed to impersonate a legitimate person or organization. The attacker's goal is to get you to take a specific action that compromises you or the University.
What phishing attackers are typically after, and how they try to get it
| Goal |
Common Tactic |
| Your credentials |
A link to a fake login page that looks like Pitt Passport, Outlook, OneDrive, or a vendor portal. You type your username and multifactor code; the attacker captures both and signs in as you. |
| Money or gift cards |
An impersonation of a manager or executive asking you to buy gift cards, wire funds, or change a direct-deposit account "urgently." This is business email compromise, and it has cost universities millions. |
| Access to your device |
A malicious attachment or link that installs malware when opened. The malware then steals data, encrypts files for ransom, or pivots to other systems on the network. |
| Personal data |
A form or reply that asks for your Social Security number, bank account information, or other sensitive personal data — often framed as a "verification" step. |
How to Spot a Phishing Email
Modern phishing — especially with the help of generative AI — no longer has the obvious grammar errors and stilted phrasing of past campaigns. Attackers craft messages that read naturally. The reliable signals are situational, not stylistic.
Common phishing indicators worth pausing on
| Signal |
What to Look For |
| Unexpected message |
You weren't expecting it, and the sender has no reason to be contacting you about this topic. This is the single most useful filter. |
| Mismatched sender |
The display name says one thing ("IT Help Desk") but the actual email address is something else (a personal Gmail address, an unfamiliar domain, a lookalike of pitt.edu). Hover over the sender's name to see the real address. |
| Urgency or pressure |
"Your account will be closed in 24 hours." "Respond immediately." "The CEO needs this done before the end of the day." Urgency is designed to bypass your judgment. |
| Unusual request |
Anything outside ordinary process — gift cards, wire transfers, changes to direct deposit, sharing credentials, bypassing normal approvals. Legitimate requests follow normal procedures. |
| Suspicious link |
The visible link text says one place but the actual URL goes somewhere else. Hover over the link (don't select it) and read the URL that appears. Safe Links rewrites these to begin with nam01.safelinks.protection.outlook.com — that prefix itself is normal; what matters is the destination encoded inside. |
| Generic greeting |
"Dear User," "Hello Customer," or your email username (everything before @pitt.edu) used as a "name." Legitimate Pitt messages typically use your actual name. |
| Unexpected attachment |
An attachment you didn't request, especially one named to provoke curiosity ("Invoice.pdf," "Resume.docx," "Voicemail.html"). Don't open it — verify with the sender first through a known channel. |
| Defender safety tip |
Outlook may show an inline yellow or red banner — "This sender failed authentication checks," "You don't usually get email from this sender." Take these seriously; Defender for Office 365 is flagging something concrete. |
The verification rule.
If an email asks you to take an unusual action — wire money, change a payment account, share credentials, buy gift cards — verify with the sender through a different channel before doing it. Call them at a number you already had (not one in the email). Walk down the hall. Use Teams chat. Phishing relies on you trusting the email itself; a 30-second sanity check defeats the attack.
Reporting a Phishing Email
Reporting phishing is what stops a campaign from spreading. Pitt Digital Security uses your reports to remove copies of the same message from other inboxes, block the sender at the gateway, and warn the community when an active campaign is underway. Pitt supports three reporting methods, listed below in order of preference. Use the highest method available to you.
Scope: these reporting paths are for suspicious messages that arrived in your inbox normally — never for messages you released from quarantine.
A message held in quarantine has already been identified. If you released a quarantined message and then realized it was phishing or spam, simply delete it from your inbox. See Don't Report Quarantined or Released Messages below.
|
✓ PREFERRED
KnowBe4 Phish Alert Button (PAB)
The PAB is the fastest and most reliable way to report a suspicious message. It is available in Outlook on Windows, Mac, the web, and mobile. One select reports the message directly to Pitt Digital Security, removes it from your inbox, and preserves the full message metadata needed for investigation.
Look for the hook in your Outlook ribbon.
For step-by-step instructions, see Reporting Phishing Emails Using KnowBe4's Hybrid Phish Alert Button.
|
|
ALTERNATIVE
Microsoft's built-in Report button in Outlook
If the PAB is not available, use the built-in Report button on the Outlook ribbon (or in the three-dot menu on a message) and select Report phishing. The button's exact location varies by Outlook version — see Microsoft's documentation on reporting phishing in Outlook.
|
|
LAST RESORT
Forward as an attachment to phish@pitt.edu
If neither of the above is available — for example, if you are not using Outlook — forward the suspicious message as an attachment to phish@pitt.edu. Forwarding as an attachment is what preserves the original headers and metadata Pitt Digital Security needs to investigate. Do not use this address for spam reports or general questions.
|
Do not use a standard forward.
A standard forward of a suspected phishing message to
phish@pitt.edu strips the headers needed for investigation and may trigger automated security actions on your account. Always report through the PAB or the Outlook Report button when possible, and forward only as an attachment when neither is available.
Don't Report Quarantined or Released Messages
Do not report quarantined or just-released messages as phishing or spam.
A message that was held in quarantine has already been identified and acted on — Pitt Digital Security does not need a second report of it, and a duplicate report adds noise that competes with reports of genuinely missed threats.
If you release a message from quarantine and then realize it is phishing or spam, simply delete it from your inbox. Do not use the PAB, the Outlook Report button, or
phish@pitt.edu for messages you released from quarantine — those reporting paths are reserved for messages that bypassed the filters and arrived in your inbox unexpectedly. See
Managing Spam and Quarantine (Exchange Online Protection) for guidance on releasing messages carefully in the first place.
If You Already Selected a Link or Opened an Attachment
Call the Help Desk — don't use the Report button.
If you may have entered credentials, downloaded a file, or otherwise interacted with a phishing message, call the Technology Help Desk at
412-624-HELP (4357) immediately and ask for Pitt Digital Security. Voice contact lets an analyst assess the impact on your account in real time — what reporting a message cannot do. Early reporting is what makes containment possible.
Simulated Phishing at Pitt
The University periodically sends simulated phishing messages designed to look like real attacks. These simulations are safe — they are sent by Pitt's awareness program through KnowBe4, and there are no negative consequences for clicking one. The goal is to give you a low-stakes opportunity to practice spotting phishing, and to identify topics where additional training would help.
What happens if you select a simulated phishing link.
You'll see a brief educational page explaining what gave the simulation away. Read it — it identifies the specific signals you missed and the technique attackers use in that style of message. Reviewing that page is the entire point of the program. The fact that you clicked is not recorded against you punitively.
Reporting a simulated phishing message via the PAB is correct behavior — the system recognizes that the message was a simulation and credits you for catching it.
Training Resources
Pitt offers a short interactive course on phishing through KnowBe4 — the Phishing Foundations mini-course. It covers how phishing attacks work, how to recognize one in real time, and how to respond. See Pitt Digital Phishing Foundations Mini-Course to enroll.
For related security awareness topics, see:
Protect Yourself Against Future Threats
Pitt Digital is monitoring a surge in targeted spear-phishing attacks — sophisticated scams that incorporate personal details and often arrive from non-Pitt addresses such as Gmail. Your vigilance is what defeats them. The six practices below are the high-leverage things you can do to stay ahead of attackers.
|
1
|
Only approve Duo requests you initiated. |
An unexpected Duo push notification means someone else has your password. Decline the request, change your Pitt Passport password immediately at my.pitt.edu, and report the incident to the Help Desk.
|
|
2
|
Use unique passwords and enable MFA everywhere. |
Use a unique password for Pitt Passport and a different password for every other account. Enable multifactor authentication on every account that offers it — a stolen password without MFA is far more dangerous than one with.
|
|
3
|
Spot and report phishing scams. |
Watch for urgency, unexpected senders, requests for credentials, or asks to reply from a personal email. Use the KnowBe4 PAB or Outlook's Report button to send suspected phishing to Pitt Digital Security.
|
|
4
|
Keep your software updated. |
Enable auto-updates for your operating system, browser, and apps. University-managed Macs receive updates automatically; Windows users should ensure Windows Update is active. Unpatched software is the second-most-common entry point for attackers, after phishing.
|
|
5
|
Complete annual security training. |
Search for security training on myPitt to access training powered by KnowBe4. Annual completion is the floor — the simulated phishing program supplements it throughout the year.
|
|
6
|
Only download apps from trusted sources. |
Install apps only from official app stores. For University business, ensure any new application has undergone a vendor security risk assessment before you adopt it for sensitive or restricted data.
|
For the complete incident-response procedure if something goes wrong, see Report a Security Incident.
Frequently Asked Questions
Select a question to expand the answer.
Is there a difference between spam and phishing?
Yes. Spam is unsolicited bulk email — annoying but generally not dangerous. Phishing is deliberately deceptive email designed to compromise you. The line between them is sometimes blurry — a "free trial" spam email may include a malware-laden attachment, and a phishing message may also be sent in bulk — but the reporting paths differ. Use the PAB or Outlook's Report Phishing for suspected phishing. Use Outlook's Report Junk for ordinary unwanted spam.
I'm not sure if a message is phishing. Should I report it anyway?
Yes. Pitt Digital Security would rather review ten messages that turn out to be legitimate than miss one real attack. Reporting a message that turns out to be benign costs you one select and costs the security team a few seconds of review. The PAB is designed for exactly this — a low-friction "I'm not sure, please check" button.
A phishing message looks like it came from a colleague. Should I tell them?
Yes, but not by replying to the email — the "sender" address may be spoofed, and replying could tip off the attacker. Contact the colleague through a different channel (Teams, phone, in person) to let them know. If the message actually came from their account, their account may be compromised — they should change their password and contact the Help Desk. Report the message to Pitt Digital Security through the PAB regardless.
⚠ I released a message from quarantine and it turned out to be phishing. Should I report it? Important
No — simply delete it from your inbox. The message was already correctly identified by quarantine, so reporting it through the PAB or any other path adds noise without providing new information. The reporting paths are reserved for messages that arrived in your inbox without being quarantined first.
The exception: if you also selected a link or opened an attachment in the released message, that is a different situation. Call the Help Desk at 412-624-HELP (4357) and ask for Pitt Digital Security. Don't use the Report button for this — call.
To avoid the situation in the future, see Managing Spam and Quarantine (Exchange Online Protection) — release only messages you were specifically expecting.
I already selected a link in a phishing message. What do I do now?
Call the Technology Help Desk at 412-624-HELP (4357) and ask for Pitt Digital Security. Voice contact is faster than a ticket and lets an analyst assess the impact in real time. Don't try to "test" the link by selecting it again, don't delete the message yet (the analyst may need to see it), and don't reset your own password until the analyst has confirmed there's nothing else they need from you first.
How do I know if a message is a real phishing attack or a Pitt simulation?
You don't, and that's the point — simulations are designed to be indistinguishable from real attacks. The correct response is identical: treat every suspicious message as if it were real, and report it through the PAB. If it was a simulation, the system recognizes that and credits you for catching it. If it was real, the security team gets the report they need. Either way, you handled it correctly.
Key Contacts
Technology Help Desk 412-624-HELP (4357)
Already clicked or interacted with a phishing message, compromised account |
Pitt Digital Security Via Help Desk or PAB
Phishing reports and follow-up investigation |