Why Should You Report Security Incidents? And How Do You Report One?
Photo and Video Privacy Issues
The Password is Dead, Long Live the Password!
Data Privacy Month: NSA Surveillance Panel at the National Constitution Center
Protecting Your Finances During This Year’s Holiday Shopping Season
Beware of Phishing E-mails in the Wake of Typhoon Haiyan
No E-mail from Penn Will Ask For Your Username/Password or SSN
The Children's Online Privacy Protection Act: Does It Apply to Your Website?
October: National Cyber Security Awareness Month; Free Secure Disposal of Paper and Electronics
What Basic Rules Protect Student Information at Penn? (September 2013)
Protecting Privacy and Security on Penn + Box
Security Starts With You
New Regulatory Changes: Do They Apply to Your Area?
Protecting Yourself from Rogue AntiVirus Warning Scams
Security and Privacy Tips for World Travelers
Tuesday, April 12, 2011 - Almanac Vol. 57, No. 29
Increase in Spear Phishing Attacks Expected: Know the Do's and Don'ts
Last week, an email services firm, Epsilon, announced a major security breach, exposing the names and email addresses of customers of dozens of Fortune 500 companies. (See http://krebsonsecurity.com among other sites for lists of reportedly affected companies. Note that these reports also indicate that no other types of personal information were exposed.) Because the information hacked included names and email addresses, security professionals are warning about an increase in "spear phishing."
Spear phishing is a particularly sophisticated form of phishing because the phishing email a user receives appears to be from a legitimate institution where the user is actually a customer. In other words, the phishing email is customized to make it look more legitimate, and is therefore more convincing.
A fraudulent spear phishing email may warn of a special, urgent need to provide username and password or account information or to click on a link that will install malware designed to steal your personal information.
The best and simplest way to protect yourself is to never log into a website from a link in an email and never send your password, PIN, or other financial information in response to an email. Other tips to remember are:
Remember: No legitimate organization (including Penn!) will ever ask you for your username and/or password via email. If you get an email asking for this information, assume it is a scam and do not respond.
- Links in an email may look legitimate but may not be. We recommend typing any URLs directly in to your browser rather than clicking on links.
- Any email that emphasizes urgency ("Click this now to prevent your account from being disabled!") should always raise red flags.
- Always check the "FROM" address of a message that solicits information or prompts you to login, to see if it originated from an illogical address (for example, a foreign country extension on the email address when the email purports to be from a US institution).
- When in doubt ask your Local Support Provider (LSP) for advice. Or, call the company directly using the company's published number (not one provided in the email).