Phishing & Spear Phishing

Phishing refers to a common scam that begins with an e-mail claiming to be from a major online retailer, bank, or other financial/governmental institution (even to the point of featuring authentic logos and graphics). Common examples include eBay, PayPal, Visa, and the IRS. The message will typically state there's an "urgent problem" with your account and that you must respond by clicking the link provided, which will take you to a website where you will be required to enter sensitive information. But if you divulge that information, you become highly susceptible to identity theft.

If you actually have an account with the firm a questionable message appears to originate from, type the firm's URL into your browsers (DO NOT click the message link) and check the firm's website for updates on phishing attempts. If you are still uncertain of the message's legitimacy, use the telephone and/or e-mail contacts shown on the company's website (DO NOT use any e-mail addresses, telephone numbers, or URL's shown in the phishing message.) If you don't have an account with the company, which is often the case, simply delete the email.

Legitimate businesses and government agencies should never solicit/initiate account administration activities or ask you to provide confidential information via e-mail.

Spear phishing is when the attack is targeted to a specific group or community of users, such as a university campus. Like our peer institutions, Penn has experienced a sharp rise in the past year of emails sent to all possible 'upenn.edu' addresses with subject headers like:

• University Webmail Upgrade
• CONFIRM YOUR WEB MAIL ACCOUNT IMMEDIATELY!!!
• Verify Your Email Account
• Verify and Update Your UPenn University Email Account

In these messages, the "UPenn Team", "EDU Webmail Team," or other non-existent entity will instruct you to provide confidential information, and that failure to do so will result in loss of account privileges. However, in these cases, rather than click on a link, the phishers will ask for information via direct e-mail reply.

Usually, it will be easy to spot spear phishing messages by looking at the "From:" and "Reply To:" headers, which will often show a non-Penn address such as updatecentre@hotmail.com. Also, many of these attacks originate outside the United States, so the spelling, grammar, and syntax are often a giveaway that the message was written by non-native English speakers and not administrators at an Ivy League university.

If you suspect you received a phishing email, please report it to:

• Penn Medicine employees should report phishing emails to phishing@pennmedicine.upenn.edu.
• All other University affiliates, please forward it to phishing@isc.upenn.edu, or report it to your School or Center IT support staff. 

• Additional information on phishing & spear phishing
• Email Headers
• Almanac: Social Engineering
• Desktop Security 101
• Malware
• Information Security Training & Awareness