One Step Ahead: Avoiding Phishing Attacks |
|
November 3, 2015, Volume 62, No. 12 |
Another tip in a series provided by the
Offices of Information Systems & Computing and Audit, Compliance & Privacy
As several Schools and Centers across campus prepare to migrate their email and calendaring accounts to a single common service over the course of the next year, it’s more important than ever to be on guard against “phishing” attacks: fraudulent email messages that masquerade as legitimate messages from trustworthy organizations.
The Office of Information Security’s catalogue of Penn-specific phishing attempts (www.upenn.edu/computing/security/phish) reveals that a significant number of recent attacks have been disguised as notifications about email system updates.
To avoid being victimized, be on the lookout for the hallmarks of phishing attacks:
• Legitimate organizations should not prompt you to provide usernames, passwords or other sensitive information via email or links provided in email.
• Be suspicious of any email or communication (including text messages, social media posts and ads) with “Urgent” requests for sensitive or personal information. Major changes in electronic systems such as email should be accompanied by a well-timed series of scheduled communications.
• The information shown in the “From:” field is vague, unfamiliar or does not contain a domain match (such as @upenn.edu) for the purported sending organization.
• Likewise, the links contained in fraudulent emails will often display URLs (web addresses) that differ from the known online home of the purported sending organization. Watch for subtle variations in spelling and domain (.net vs. .com, .eu vs. .edu).
• Phishing attacks are frequently characterized by errors in spelling, grammar and language usage in their content as well.
You can also take proactive steps to protect yourself:
• If you are unsure whether an email request is legitimate, try to verify it by contacting the sending organization directly through a published phone number, email or web address.
• When in doubt, don’t respond to a suspicious email — instead, contact your Local Support Provider (LSP) for assistance. You can locate your LSP’s contact information at https://www.isc.upenn.edu/get-it-help
If you believe you have mistakenly clicked a malicious link or otherwise disclosed private information in a phishing attack, immediately change your email and PennKey passwords, contact your LSP and notify Penn’s Office of Information Security by emailing security@isc.upenn.edu
For additional tips, see the One Step Ahead link on the Information Security website: www.upenn.edu/computing/security/ |