"Phishing" and "Spear Phishing"
"Phishing" refers to a common scam that begins with an e-mail message that arrives in your inbox and appears to be from a major online retailer, bank or other financial or governmental institution, even to the point of featuring authentic-looking logos and graphics. Common examples include eBay, PayPal, Visa and even the IRS. The text of the message will typically say there is an "urgent problem" with your account and that you must "respond immediately" by clicking on a link provided in the message that will take you to a website where you will be "required" to enter sensitive information about yourself and your account in order to "verify" and "reactivate" your account. The message and site are both bogus, and if you divulge the information asked for, you're opening the door to becoming a victim of identity theft.
Legitimate businesses and government agencies should never solicit or initiate account administration activities or ask you to provide confidential information via e-mail.
If you actually do have an account with the firm the message appears to come from, check their legitimate website for updates on "phishing" attempts seen against them (and type the site's URL directly into your browser - DO NOT click on the link in the message). If you are still uncertain as to the legitimacy of the message, use the telephone and/or e-mail contacts shown on the company's website - but again,DO NOT use any e-mail addresses, telephone numbers or URL's shown in the "phishing" message. And, if you don't have an account with the company (which is often if not usually the case), resist the impulse to reply to the message with "you've made a mistake" or other disclaimer. In short, the best thing to do with "phishing" messages is to simply delete them.
"Spear phishing" is a refined version of "phishing" in which the attack is targeted to a specific group or community of users - such as a university campus. Like all of our peer institutions, Penn has experienced a sharp rise in the past year of e-mails sent to all possible 'upenn.edu' addresses with subject headers like:
University Webmail Upgrade
Similar to the garden-variety "phishing" attacks described above, in these messages the "upenn Team", "EDU Webmail Team" or other non-existent entity will instruct you to provide them with your user name, password, date of birth and other pieces of confidential information, and that failure to do so will result in loss of account privileges. One difference in many of these cases, though, is that rather than click on a link to visit a website, they will ask you to give them the information via direct e-mail reply.
CONFIRM YOUR WEB MAIL ACCOUNT IMMEDIATELY!!!
Verify Your Email Account
Verify and Update Your upenn University Email Account
THERE IS NO "upenn Team", "EDU Webmail Team", etc. at Penn
DO NOT RESPOND TO ANY REQUESTS FOR YOUR ACCOUNT INFORMATION VIA E-MAIL, TELEPHONE OR ANY OTHER MEDIA
In many cases it will be easy to spot these "spear phishing" messages simply by looking at the "From:" and "Reply To:" headers, which will often show a non-Penn address such as 'firstname.lastname@example.org'. Also, many of these attacks originate outside the United States, and the spelling, grammar and syntax are often dead giveaways that the message was written by non-native English speakers - and not administrators at an Ivy League university.
Penn Information Security has begun tracking and archiving "spear phishing" messages seen at Penn at www.upenn.edu/computing/security/phish/
For more information on "phishing" and "spear phishing", visit www.antiphishing.org
Last updated: Friday, September 12, 2008