Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

 

Sunday, April 20, 2014

 
  New Resources
Travel Tips for Data Security
Free Security/Privacy Training Resources
Penn+Box
Two-step verification
Combating Malware
SafeDNS
Phishing Archive
Cloud Computing and Data Outsourcing
Best Practices for Applications with Confidential University Data
 
  Security "Greatest Hits"
Managing Passwords
E-mail Harassment & Forgery
Hoaxes, frauds & scams
Spam
Phishing
Wireless Networking
Encryption & digital signatures
 
  Best Practices
Secure desktop computing
Secure servers
Secure data deletion
Securing printers
Tips for safe computing
Computing policies
 
  More in-depth information for
Local support providers
System administrators
 
  Security initiatives
Critical host compliance
Authentication & authorization
Penn Security & Privacy Assessment (SPIA)
Security Liaisons (Restricted Access)
Secure Share
Secure Space
Vulnerability Scanner
 
  Related links
Electronic privacy
PennKey
Viruses
Worms, trojans, backdoors

"Phishing" and "Spear Phishing"

"Phishing" refers to a common scam that begins with an e-mail message that arrives in your inbox and appears to be from a major online retailer, bank or other financial or governmental institution, even to the point of featuring authentic-looking logos and graphics. Common examples include eBay, PayPal, Visa and even the IRS. The text of the message will typically say there is an "urgent problem" with your account and that you must "respond immediately" by clicking on a link provided in the message that will take you to a website where you will be "required" to enter sensitive information about yourself and your account in order to "verify" and "reactivate" your account. The message and site are both bogus, and if you divulge the information asked for, you're opening the door to becoming a victim of identity theft.

Legitimate businesses and government agencies should never solicit or initiate account administration activities or ask you to provide confidential information via e-mail.

If you actually do have an account with the firm the message appears to come from, check their legitimate website for updates on "phishing" attempts seen against them (and type the site's URL directly into your browser - DO NOT click on the link in the message). If you are still uncertain as to the legitimacy of the message, use the telephone and/or e-mail contacts shown on the company's website - but again,DO NOT use any e-mail addresses, telephone numbers or URL's shown in the "phishing" message. And, if you don't have an account with the company (which is often if not usually the case), resist the impulse to reply to the message with "you've made a mistake" or other disclaimer. In short, the best thing to do with "phishing" messages is to simply delete them.

"Spear phishing" is a refined version of "phishing" in which the attack is targeted to a specific group or community of users - such as a university campus. Like all of our peer institutions, Penn has experienced a sharp rise in the past year of e-mails sent to all possible 'upenn.edu' addresses with subject headers like:

University Webmail Upgrade
CONFIRM YOUR WEB MAIL ACCOUNT IMMEDIATELY!!!
Verify Your Email Account
Verify and Update Your upenn University Email Account
Similar to the garden-variety "phishing" attacks described above, in these messages the "upenn Team", "EDU Webmail Team" or other non-existent entity will instruct you to provide them with your user name, password, date of birth and other pieces of confidential information, and that failure to do so will result in loss of account privileges. One difference in many of these cases, though, is that rather than click on a link to visit a website, they will ask you to give them the information via direct e-mail reply.

THERE IS NO "upenn Team", "EDU Webmail Team", etc. at Penn DO NOT RESPOND TO ANY REQUESTS FOR YOUR ACCOUNT INFORMATION VIA E-MAIL, TELEPHONE OR ANY OTHER MEDIA

In many cases it will be easy to spot these "spear phishing" messages simply by looking at the "From:" and "Reply To:" headers, which will often show a non-Penn address such as 'updatecentre@hotmail.com'. Also, many of these attacks originate outside the United States, and the spelling, grammar and syntax are often dead giveaways that the message was written by non-native English speakers - and not administrators at an Ivy League university.

Penn Information Security has begun tracking and archiving "spear phishing" messages seen at Penn at www.upenn.edu/computing/security/phish/

For more information on "phishing" and "spear phishing", visit www.antiphishing.org

Last updated: Friday, September 12, 2008

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania