ISC's Computing Resource Center
Protecting your PennKey and other personal data from attempts to steal it (phishing)
Phishing attempts continue to grow in frequency across Penn and other Internet Service providers. Each attempt is a socially-engineered way of attempting to get you to provide personal data to an individual who intends to use that data for malicious reasons.
For example, you might receive email forged to appear as if it is from a Penn official or a financial institution. The email might tell you that there has been some problem with your access to a Penn network service, an email account, or a bank account. You would subsequently be asked to enter your PennKey, password, and possibly other personal data at a designated web page in order to correct the matter.
The message would likley be formatted in html, and look very official, often complete with Penn or Bank logos and perhaps the Penn shield. It might include an html link that would take you to a website that looks exactly like legitimate campus network services that prompt for your PennKey and password.
The "hook" with this type of attack is that while the site may appear official, it in fact directs you to a hacked system somewhere that tricks you into entering your PennKey and password. Once your PennKey info is entered, the "phisher" is free to use the PennKey and password in any way he or she chooses. More recent attacks have been disguised as e-cards or cute movies that when launched actually install "malware" on your computer.
You can avoid this type of attack by taking the following precautions: