Security - Phishing Scams


Computing Resource Center (CRC)

	CRC Basics
	Highlights for Fall 2012
	Location & Hours
	First Call
	PennConnect DVD

	Going Green
	Sustainabilty

	Security & Privacy
	Security & Privacy Alerts
	IRS Scams
	Phishing Scams
	Securing Gmail
	ISC Information Security
	Penn's Privacy Office
	Virus Information
	Windows Update Service

	Important Links
	PennKey
	AirPennNet & Wireless info
	School Email info
	Computing Labs
	College House Computing
	Client Services Group

	CSG Staff Only
	CSG Intranet

ISC's Computing Resource Center

Protecting your PennKey and other personal data from attempts to steal it (phishing)

Phishing attempts continue to grow in frequency across Penn and other Internet Service providers. Each attempt is a socially-engineered way of attempting to get you to provide personal data to an individual who intends to use that data for malicious reasons.

For example, you might receive email forged to appear as if it is from a Penn official or a financial institution. The email might tell you that there has been some problem with your access to a Penn network service, an email account, or a bank account. You would subsequently be asked to enter your PennKey, password, and possibly other personal data at a designated web page in order to correct the matter.

The message would likley be formatted in html, and look very official, often complete with Penn or Bank logos and perhaps the Penn shield. It might include an html link that would take you to a website that looks exactly like legitimate campus network services that prompt for your PennKey and password.

The "hook" with this type of attack is that while the site may appear official, it in fact directs you to a hacked system somewhere that tricks you into entering your PennKey and password. Once your PennKey info is entered, the "phisher" is free to use the PennKey and password in any way he or she chooses. More recent attacks have been disguised as e-cards or cute movies that when launched actually install "malware" on your computer.

You can avoid this type of attack by taking the following precautions:

Be wary of unsolicited email asking you to enter any kind of sensitive information like passwords, credit card numbers, bank account numbers or ATM PINs.
Don't trust web links in email. Be aware that even if a link in email looks entirely legitimate, there is no guarantee that when you click on it, you will go to the website indicated in the email. It is very easy for a perpetrator of phishing schemes to send an email with an apparent link to www.upenn.edu (or any other site for that matter) that in fact links you to a completely different site.
If you need to conduct sensitive business over the web, type the complete URL of your desired web site directly into your browser, rather than relying on links embedded in email.
Work with your LSP to verify the authenticity of email you suspect might be "phishing" for your personal data.

http://www.antiphishing.org/ provides more information about this type of attack, along with some detailed explanations of just how sophisticated the attacks can be. Some recent phishing scams seen at Penn are detailed at: http://www.upenn.edu/computing/security/phish/.

Information Systems and Computing, University of Pennsylvania