|One Step Ahead
January 11, 2011,
Volume 57, No. 17
Another tip in a series provided by the Offices of Information Systems & Computing and Audit, Compliance & Privacy.
Tips to Help Defend Against Phishing
Recently we have seen a rise in phishing attacks and other scams intended to capture sensitive information and/or distribute malware. The University of Pennsylvania is seeing an increase in targeted phishing attacks.
As a reminder, “phishing” refers to fraudulent e-mails that appear to be legitimate messages from Penn or an outside institution. Phishing e-mails ask you for your user-name, password, credit card numbers, or other sensitive information, or direct you to a website, in hopes of capturing your credentials.
Below are some tips to help you identify these scams and avoid disclosing personal or private information:
1. No organization at Penn will ever ask you for your username and password via e-mail. If you get an e-mail asking for this information, assume it is a scam and do not respond.
2. Always check the “FROM” address of a message that solicits information or prompts you to login, to see if it originated from a foreign or otherwise illogical address. For example, the latest round of Penn-directed phishing attacks came from a sender whose address ended in “@web.de” (“de” is Germany).
3. Double-check the URL of any websites you are being told to click on in e-mail messages, especially if once directed there, you are asked to login. We recommend typing any URLs directly in to your browser rather than clicking on links. On a related note, be suspicious of URLs that take you to locations that don’t make sense (such as a website that claims to be associated with Penn, but ends in .com, .org, .net, etc.)
4. The Office of Information Security attempts to catalogue Penn-specific phishing attempts at www.upenn.edu/computing/security/phish/ This list can help you quickly and confidently identify a scam.
5. When in doubt, don’t respond to the e-mail—instead, contact your Local Support Provider (LSP) for assistance.
If you believe you have mistakenly clicked on a link or otherwise disclosed private information in a phishing attack, immediately change your e-mail and PennKey passwords, contact your LSP, and notify Penn’s Information Security office by e-mailing email@example.com.
For additional tips, see the One Step Ahead link on the Information Security website: www.upenn.edu/computing/security