Beware of Phishing E-mails in the Wake of Typhoon Haiyan
No E-mail from Penn Will Ask For Your Username/Password or SSN
The Children's Online Privacy Protection Act: Does It Apply to Your Website?
October: National Cyber Security Awareness Month; Free Secure Disposal of Paper and Electronics
What Basic Rules Protect Student Information at Penn? (September 2013)
Protecting Privacy and Security on Penn + Box
Security Starts With You
New Regulatory Changes: Do They Apply to Your Area?
Protecting Yourself from Rogue AntiVirus Warning Scams
Security and Privacy Tips for World Travelers
Handling Documents and Data of Faculty and Staff Who Have Left Penn
Spring Cleaning Your Office? Know What to Do with E-Waste
Keep Your Identity Safe When Filing Taxes This Year
Why use Penn+Box when Storing Data in the Cloud
Mobile Device Security - 3 Recommendations for Cloud Users (Hint: That's You!)
Tuesday, April 12, 2011 - Almanac Vol. 57, No. 29
Increase in Spear Phishing Attacks Expected: Know the Do's and Don'ts
Last week, an email services firm, Epsilon, announced a major security breach, exposing the names and email addresses of customers of dozens of Fortune 500 companies. (See http://krebsonsecurity.com among other sites for lists of reportedly affected companies. Note that these reports also indicate that no other types of personal information were exposed.) Because the information hacked included names and email addresses, security professionals are warning about an increase in "spear phishing."
Spear phishing is a particularly sophisticated form of phishing because the phishing email a user receives appears to be from a legitimate institution where the user is actually a customer. In other words, the phishing email is customized to make it look more legitimate, and is therefore more convincing.
A fraudulent spear phishing email may warn of a special, urgent need to provide username and password or account information or to click on a link that will install malware designed to steal your personal information.
The best and simplest way to protect yourself is to never log into a website from a link in an email and never send your password, PIN, or other financial information in response to an email. Other tips to remember are:
Remember: No legitimate organization (including Penn!) will ever ask you for your username and/or password via email. If you get an email asking for this information, assume it is a scam and do not respond.
- Links in an email may look legitimate but may not be. We recommend typing any URLs directly in to your browser rather than clicking on links.
- Any email that emphasizes urgency ("Click this now to prevent your account from being disabled!") should always raise red flags.
- Always check the "FROM" address of a message that solicits information or prompts you to login, to see if it originated from an illogical address (for example, a foreign country extension on the email address when the email purports to be from a US institution).
- When in doubt ask your Local Support Provider (LSP) for advice. Or, call the company directly using the company's published number (not one provided in the email).