Phishing and Scams: Don't Take the "Bait"

Email is one of the most common ways attackers try to steal your password, your money, and University data. A phishing message impersonates a person or organization you trust and tries to get you to open a harmful attachment, enter your credentials on a fake login page, or hand over sensitive information. This article explains how phishing works today, how to protect yourself, and how to report a suspicious message to Pitt Digital.

Warning: You can no longer spot phishing just by looking for bad grammar and typos.
Attackers now use AI to write phishing emails. The messages arriving in your inbox are often polished, correctly branded, free of spelling errors, and personalized to you. A professional-looking email is no longer a sign that it is genuine.

How Phishing Works

Most phishing has a specific payoff in mind. The table below shows what attackers are usually after and the tactics they use to get it.

What phishing attackers are typically after, and how they try to get it
Goal Common tactic
Your credentials A link to a fake login page that mimics Pitt Passport, Outlook, OneDrive, or a vendor portal. You enter your username and multifactor code, and the attacker captures both and signs in as you.
Money or gift cards A message impersonating a manager or executive that asks you to buy gift cards, wire funds, or change a direct-deposit account "urgently." This is business email compromise, and it has cost universities millions.
Access to your device A malicious attachment or link that installs malware when opened. The malware can steal data, encrypt files for ransom, or pivot to other systems on the network.
Personal data A form or reply that asks for your Social Security number, bank account information, or other sensitive details, often framed as a "verification" step.

What AI Has Changed

Security teams across the industry are seeing the same shift. In its 2026 Phishing Threat Trends research, the security-awareness vendor KnowBe4 found that the large majority of the phishing it analyzed over the prior six months showed signs of AI assistance, and that AI-written lures are clicked far more often than older, hand-written ones. AI lets an attacker produce a flawless, on-brand message in seconds and personalize it to you at no extra effort.

Note: Phishing by the numbers.
According to KnowBe4's April 2026 Phishing Threat Trends Report (Vol. 7), phishing volume rose roughly 17% compared with the previous six months, and most phishing messages now arrive carrying a link — sometimes disguised as a QR code — rather than a file attachment. Branding and personalization are increasingly automated, so they no longer signal that a message is safe.

What that means for you:

  • Polish is not proof. Correct logos, clean formatting, and perfect spelling no longer mean a message is real.
  • Personalization is cheap. A message that uses your name, your role, or a recent activity is not automatically trustworthy — attackers can generate those details automatically.
  • A convincing login page can still be fake. Attackers can build pixel-perfect copies of Microsoft 365, DocuSign, and similar sign-in pages and host them on real, reputable web services, so the page looks right and can even pass automated security checks.
Why familiar phishing "red flags" are no longer reliable on their own
Old rule of thumb Why it is no longer enough
"Look for spelling and grammar mistakes." AI writes clean, fluent text, so most AI-assisted phishing has none.
"The logo and formatting look right, so it's real." Branding is easy to copy exactly; a correct appearance proves nothing.
"It used my name, so it must know me." Personal details can be generated or pulled from public sources automatically.
"The link looked normal and my filter didn't block it." Fake pages are often hosted on legitimate services, so they can slip past automated checks.

Scams Often Come Through Services You Trust

Attackers increasingly deliver their scams through real, well-known services rather than obscure websites. A document-signing request, a shared file, or an account notification can be genuinely hosted on a brand you recognize — which is exactly why it slips past both your instincts and many automated filters. KnowBe4's April 2026 report identified the services most often abused this way:

  • PayPal
  • Google (Docs, Drive, and Classroom)
  • Microsoft
  • Zoom
  • DocuSign

File-sharing and document services are common carriers as well, because a link to a shared file looks routine. Notably, Zoom and DocuSign have now overtaken Microsoft as the brands attackers impersonate most. The lesson is not to distrust these services — you rely on them every day — but to remember that a message arriving through one of them, or a link or file hosted on one, is not by itself proof that the request is legitimate. Apply the same checks you would to any other message.

Phishing Isn't Just Email Anymore

The inbox is no longer the only place these attacks land. KnowBe4 is seeing the same scams arrive through Microsoft Teams messages and even calendar invitations, frequently impersonating IT, Human Resources, executives, or Finance and pressing for an urgent response. People tend to trust a Teams chat or a meeting already sitting on their calendar without a second thought, which is exactly what attackers count on. Treat an unexpected Teams message or calendar invite with the same caution you would an email — particularly if it asks you to sign in, install something, or move the conversation to a phone call. The same scams also reach people by text message, social media, and phone calls, so apply the same caution wherever a message finds you.

Social Engineering and Phone Scams

Phishing is one form of social engineering — manipulating people into sharing confidential information or taking an action, often without the attacker ever meeting you. The same tactics turn up on the phone, where the approach is sometimes called pretexting: a caller invents a believable scenario and poses as someone with authority or a need to know — IT support, your bank, a tax or government agency, the police, or a coworker or executive — to pressure you into revealing information or making a payment.

The rule is the same across every channel: a legitimate organization will not contact you out of the blue to ask for your password, Social Security number, or card numbers. Never share sensitive information with someone who reaches you unexpectedly. If a call or message claims to come from an organization you work with and you are unsure, stop or hang up, then reach them using a phone number or website you look up yourself.

How to Spot a Phishing Email

Because polished, well-branded messages are now the norm, the most reliable warning signs are situational rather than stylistic. Pause when you notice any of these. A single match can be enough, and a message with none of them is not automatically safe.

Common phishing indicators worth pausing on
Signal What to look for
Unexpected message You weren't expecting it, and the sender has no real reason to contact you about this topic. This is the single most useful filter.
Mismatched sender The display name says one thing (for example, "IT Help Desk"), but the actual email address is something else: a personal Gmail address, an unfamiliar domain, or a lookalike of a real one such as micros0ft.com (a zero in place of the "o") or rnicrosoft.com (an "r" and "n" in place of an "m"). Hover over the sender's name to see the real address.
Urgency or pressure "Your account will be closed in 24 hours." "Respond immediately." "The CEO needs this before the end of the day." Urgency is designed to bypass your judgment.
Unusual request Anything outside the normal process: gift cards, wire transfers, direct-deposit changes, sharing credentials, or skipping standard approvals. Legitimate requests follow normal procedures.
Suspicious link The visible link text says one place, but the real destination is somewhere else. Hover over the link, without selecting it, and read the address that appears. Safe Links rewrites these to begin with nam01.safelinks.protection.outlook.com; that prefix is normal, so what matters is the destination encoded inside it.
Generic greeting "Dear User," "Hello Customer," or your email username (everything before @pitt.edu) used as a name. Legitimate Pitt messages usually use your real name.
Unexpected attachment An attachment you didn't ask for, especially one named to make you curious, such as Invoice.pdf, Resume.docx, or Voicemail.html. Don't open it. Verify with the sender first through a known channel.
Defender safety tip Outlook may show an inline yellow or red banner, such as "This sender failed authentication checks" or "You don't usually get email from this sender." Take these seriously, because Defender for Office 365 is flagging something concrete.

How to Protect Yourself

Spotting a red flag is the first step. These habits protect you even when a message looks completely convincing.

Check the address bar before you sign in

Before entering your password on any page, look at the website address in your browser's address bar. A real Microsoft sign-in page is on microsoft.com; a real DocuSign page is on docusign.com; the real Pitt sign-in is on pitt.edu. If the address is anything else — even if the page looks perfect — do not enter your credentials. This check matters even if you use multifactor authentication: some fake login pages relay everything you type, including your verification approval, straight to the real service in real time, so the second factor alone won't stop them. Where it is offered, choosing a phishing-resistant sign-in method such as a passkey or a hardware security key gives the strongest protection against this kind of relay attack, because it is tied to the real website's address and cannot be handed to a fake one.

Confirm urgent or unexpected requests through a channel you trust

Phishing relies on pressure: an account that will "expire," an invoice that's "overdue," a prize you need to "claim now." If a message asks you to log in, pay, or share information urgently, do not use the links or buttons inside the message. Instead, open the service yourself by typing in an address you already know, or contact the person or office using a phone number or email you look up independently.

Be careful with QR codes

Treat a QR code like any other link: only scan one from an email or attachment when you are sure of the sender, because a code can hide a malicious address just as easily as a link can. On a phone, press and hold a link to preview where it leads before opening it. When something feels off, it is always safe to stop and report a message rather than act on it.

Note: When in doubt, report it.
You will never get in trouble for reporting a message that turns out to be legitimate. Reporting is always the safe choice when you are unsure.

How to Report a Suspicious Email

Although your first instinct may be to ignore or delete a suspicious email, we recommend reporting it to our security team. We will examine the message and, if necessary, advise you of any further steps to take.

PREFERRED

KnowBe4 Phish Alert Button (PAB)

The PAB is the fastest and most reliable way to report a suspicious message. It is available in Outlook on Windows, Mac, the web, and mobile. One select reports the message directly to Pitt Digital Security, removes it from your inbox, and preserves the full message metadata needed for investigation.

The KnowBe4 Phish Alert button as it appears in the Outlook ribbon — look for the fish-hook icon.

Look for the hook in your Outlook ribbon.

For step-by-step instructions, see Reporting Phishing Emails Using KnowBe4's Hybrid Phish Alert Button.

ALTERNATIVE

Microsoft's built-in Report button in Outlook

If the PAB is not available, use the built-in Report button on the Outlook ribbon (or in the three-dot menu on a message) and select Report phishing. Unlike the PAB, which is only for phishing, this button can also report junk or spam. The button's exact location varies by Outlook version — see Microsoft's documentation on reporting phishing in Outlook.

LAST RESORT

Forward as an attachment to phish@pitt.edu

If neither of the above is available — for example, if you are not using Outlook — forward the suspicious message as an attachment to phish@pitt.edu. Forwarding as an attachment is what preserves the original headers and metadata Pitt Digital Security needs to investigate. Do not use this address for spam reports or general questions.

If You Think You Fell for One

If you entered your password or shared information on a page you now suspect was fake, act quickly — fast action limits the damage.

  1. Note what happened while it's fresh: what information you entered (such as your username, password, or account numbers) and where it happened (email, Teams, or a website).
  2. Change your University Computing Account password right away, and change it anywhere else you used the same password. Use a unique password for each account.
  3. Make sure multifactor authentication is protecting your accounts. For your University Computing Account, confirm Duo is set up; for non-Pitt accounts such as personal email, banking, and social media, turn on multifactor authentication wherever it is offered. Where you can choose, use the most phishing-resistant option available — a passkey or a hardware security key — rather than a texted code or a push approval, which a fake page can capture.
  4. Report the message with the Phish Alert Button (PAB). If you entered your University Computing Account password, also contact the Technology Help Desk at 412-624-HELP (4357) right away so they can help secure your account.
  5. If you shared credit card or bank details, contact those companies. If you lost money or believe your identity was stolen, report it to local law enforcement.

Keep Learning

Take the phishing training course

Learn how phishing attacks work and how to recognize and respond to one with the Pitt Digital Phishing Foundations interactive mini-course through KnowBe4.

Phishing that hides in spam

Spam is unwanted "junk" email that can quickly fill your inbox. Never respond to a spam message or select a link in one — doing so confirms your address to the spammer and tends to bring more spam. Most spam is merely annoying, but some of it is actually a phishing attempt: harmful software and credential-stealing links are often delivered through messages that look like ordinary spam, so treat it with care.

Can you pass our phishing simulation?

The University's phishing awareness program periodically sends simulated phishing emails designed to imitate a real scam. These simulations are completely safe, and there are no negative consequences if you respond to one by mistake. If a simulation does fool you, we recommend reviewing the brief educational material presented afterward.

Print Article

Related Articles (6)

Email Protection: Defender for Office 365
Pitt's Microsoft 365 mailboxes are protected by Exchange Online Protection and Microsoft Defender for Office 365, which together guard against phishing, business email compromise, malicious links
(Safe Links), and zero-day malware in attachments (Safe Attachments). This article explains how each layer works, what you may see in Outlook, and how to report a legitimate message that was incorrectly quarantined.
Managing Spam and Quarantine (Exchange Online Protection)
Exchange Online Protection (EOP) filters spam, bulk mail, phishing, and malware on every Pitt mailbox. This article explains the difference between the Junk Email folder and quarantine, how to review and release quarantined messages at security.microsoft.com/quarantine, how to customize your safe-sender and blocked-sender lists, and how to report missed spam or phishing.
Pitt's DMARC Email Validation
Pitt enforces DMARC Email Validation to keep spoofed phishing out of inboxes and to protect the pitt.edu domain from being spoofed at other organizations. This article explains how DMARC works at Pitt, why some legitimate messages occasionally get quarantined, and what departments using third-party broadcast email platforms like Mailchimp and Campaign Monitor must do to ensure their messages are delivered.
Report a Security Incident
Report suspected security incidents immediately by submitting a Help Desk ticket or calling 412-624-HELP (4357). This article covers what to report — including phishing, malware, ransomware, compromised accounts, unauthorized data disclosure, and lost or stolen devices — along with step-by-step reporting guidance and how to use the KnowBe4 Phish Alert Button.
Reporting Phishing Emails Using KnowBe4's Hybrid Phish Alert Button
By following these steps, users can report phishing emails quickly and efficiently using KnowBe4's Hybrid Phish Alert Button across various Outlook platforms. This helps in keeping your organization safe from potential phishing threats.

If you have any questions or need further assistance, please contact the IT support team at [support email] or call [support phone number].

Related Services / Offerings (1)

Security Awareness and Training (KnowBe4)
SECURITY CONSULTING AND EDUCATION KnowBe4 provides security awareness resources to train, promote and reinforce information security best practices.