Print This Issue

One Step Ahead:Increase in Spear Phishing Attacks Expected: Know the Do's & Don'ts

April 12, 2011, Volume 57, No. 29

Another tip in a series provided by the Offices of Information Systems & Computing and Audit, Compliance & Privacy.

Increase in Spear Phishing Attacks Expected: Know the Do's & Don'ts

Last week, an email services firm, Epsilon, announced a major security breach, exposing the names and email addresses of customers of dozens of Fortune 500 companies.  (See http://krebsonsecurity.com among other sites for lists of reportedly affected companies.  Note that these reports also indicate that no other types of personal information were exposed.)  Because the information hacked included names and email addresses, security professionals are warning about an increase in “spear phishing.”

Spear phishing is a particularly sophisticated form of phishing because the phishing email a user receives appears to be from a legitimate institution where the user is actually a customer. In other words, the phishing email is customized to make it look more legitimate, and is therefore more convincing. 

A fraudulent spear phishing email may warn of a special, urgent need to provide username and password or account information or to click on a link that will install malware designed to steal your personal information.

The best and simplest way to protect yourself is to never log into a website from a link in an email and never send your password, PIN, or other financial information in response to an email. Other tips to remember are:

Links in an email may look legitimate but may not be. We recommend typing any URLs directly in to your browser rather than clicking on links.

Any email that emphasizes urgency (“Click this now to prevent your account from being disabled!”) should always raise red flags. 

Always check the “FROM” address of a message that solicits information or prompts you to login, to see if it originated from an illogical address (for example, a foreign country extension on the email address when the email purports to be from a US institution). 

When in doubt ask your Local Support Provider (LSP) for advice. Or, call the company directly using the company’s published number (not one provided in the email).

Remember:  No legitimate organization (including Penn!) will ever ask you for your username and/or password via email.  If you get an email asking for this information, assume it is a scam and do not respond.


For additional tips, see the One Step Ahead link on the Information Security website: www.upenn.edu/computing/security/



Almanac - April 12, 2011, Volume 57, No. 29