Penn Computing

Penn Computing
Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn
CRC
CRC Basics
Highlights for Fall 2008
Location & Hours
First Call
System Evaluation
PennConnect DVD
Security Information
Security & Privacy News
Overview
Phishing Scams
Information Security
Protect your Privacy
Securing Gmail
Virus Alerts
Windows Automatic Update Service
Helpful Documentation
Run Windows Update
Run Office Update
Reinstall Windows XP Pro
Important Links
PennKey
AirPennNet & Wireless info
School Email info
Computing Labs
College House Computing
Client Services Group

ISC's Computing Resource Center

Protecting your PennKey and other personal data from attempts to steal it (phishing)

Phishing attempts continue to grow in frequency across Penn and other Internet Service providers. Each attempt is a socially-engineered way of attempting to get you to provide personal data to an individual who intends to use that data for malicious reasons.

For example, you might receive email forged to appear as if it is from a Penn official. The email might tell you that there has been some problem with your access to a Penn network service. You would subsequently be asked to enter your PennKey and password at a designated web page in order to correct the matter.

The message would likley be formatted in html, and look very official, often complete with Penn or Bank logos and perhaps the Penn shield.  It might include an html link that would take you to a website that looks exactly like legitimate campus network services that prompt for your PennKey and password.  

The "hook" with this type of attack is that while the site may appear official, it in fact directs you to a hacked system somewhere that tricks you into entering your PennKey and password.   Once your PennKey info is entered, the "phisher" is free to use the PennKey and password in any way he or she chooses.

You can avoid this type of attack by taking the following precautions:
  • Be wary of unsolicited email asking you to enter any kind of sensitive information like passwords, credit card numbers, bank account numbers or ATM PINs.
  • Don't trust web links in email.  Be aware that even if a link in email looks entirely legitimate, there is no guarantee that when you click on it, you will go to the website indicated in the email.  It is very easy for a perpetrator of phishing schemes to send an email with an apparent link to www.upenn.edu (or any other site for that matter) that in fact links you to a completely different site.
  • If you need to conduct sensitive business over the web, type the complete URL of your desired web site directly into your browser, rather than relying on links embedded in email.
  • Work with your LSP to verify the authenticity of email you suspect might be "phishing" for your personal data.

http://www.antiphishing.org/ provides more information about this type of attack, along with some detailed explanations of just how sophisticated the attacks can be. Some recent phishing scams seen at Penn are detailed at: http://www.upenn.edu/computing/security/phish/
top

Information Systems and Computing
University of Pennsylvania
Comments & Questions
Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania