Print This Issue

One Step Ahead
January 11, 2011, Volume 57, No. 17

One Step Ahead

Another tip in a series provided by the Offices of Information Systems & Computing and Audit, Compliance & Privacy.

Tips to Help Defend Against Phishing

Recently we have seen a rise in phishing attacks and other scams intended to capture sensitive information and/or distribute malware. The University of Pennsylvania is seeing an increase in targeted phishing attacks.

As a reminder, “phishing” refers to fraudulent e-mails that appear to be legitimate messages from Penn or an outside institution. Phishing e-mails ask you for your user-name, password, credit card numbers, or other sensitive information, or direct you to a website, in hopes of capturing your credentials.

Below are some tips to help you identify these scams and avoid disclosing personal or private information: 

1. No organization at Penn will ever ask you for your username and password via e-mail.  If you get an e-mail asking for this information, assume it is a scam and do not respond.

2. Always check the “FROM” address of a message that solicits information or prompts you to login, to see if it originated from a foreign or otherwise illogical address. For example, the latest round of Penn-directed phishing attacks came from a sender whose address ended in “@web.de” (“de” is Germany).

3. Double-check the URL of any websites you are being told to click on in e-mail messages, especially if once directed there, you are asked to login. We recommend typing any URLs directly in to your browser rather than clicking on links. On a related note, be suspicious of URLs that take you to locations that don’t make sense (such as a website that claims to be associated with Penn, but ends in .com, .org, .net, etc.)

4. The Office of Information Security attempts to catalogue Penn-specific phishing attempts at www.upenn.edu/computing/security/phish/  This list can help you quickly and confidently identify a scam.

5. When in doubt, don’t respond to the e-mail—instead, contact your Local Support Provider (LSP) for assistance.

If you believe you have mistakenly clicked on a link or otherwise disclosed private information in a phishing attack, immediately change your e-mail and PennKey passwords, contact your LSP, and notify Penn’s Information Security office by e-mailing security@isc.upenn.edu.


For additional tips, see the One Step Ahead link on the Information Security website: www.upenn.edu/computing/security

Almanac - January 11, 2011, Volume 57, No. 17