Phishing Awareness: How to Recognize and Prevent Phishing Attacks

What is Phishing?

Phishing is a cyberattack that uses deception to trick individuals into revealing sensitive information, such as usernames, passwords, financial data, or personal details.
 
Attackers impersonate trusted individuals or organizations—such as banks, IT departments, or colleagues—and use email, text messages, phone calls, or websites to manipulate users into clicking malicious links, approving requests, or sharing credentials.

Common Types of Phishing Attacks

Email Phishing

The most common type of phishing Attacks send fraudulent emails that appear to come from legitimate organization often including malicious links or attachments.

When you receive an unsolicited email with embedded web links, keep the following tips in mind:

  • Watch for urgent or threatening language. Be immediately suspicious if the message tries to scare you, offers an incredible deal, prompts you to reset a password or update account information, or asks you to check your direct deposit. 
  • Check the sender’s email address carefully. Look for misspellings, extra characters, or unfamiliar domains that imitate legitimate companies. For example, (@upen.edu instead of @upenn.edu).
  • Check each link by hovering over it to see its true source. If the URL is unfamiliar or differs from what you expected to see,  don’t click.
  • Be cautious with unexpected attachments
    Unexpected attachments, especially .zip, .exe, or macro-enabled documents, may contain malware. 

Spear Phishing

Targeted attacks aimed at specific individuals or groups using personalized information to increase credibility. You can read more on spear phishing at https://isc.upenn.edu/phishing-spear-phishing

Whaling

A specialized form of spear phishing targeting executives or high-level personnel to access sensitive or financial information. 

Smishing (SMS Phishing)

Phishing Attempts delivered via text messages, often impersonating banks, delivery services, Multi-Factor Authentication (MFA) service, or government agency. More information on smishing is covered in the university Almanac "One Step Ahead: Beware of "Smishing"-Phishing via SMS Text Messages."

Vishing (Voice Phishing)

Attackers use phone calls to impersonate legitimate organizations and request sensitive data such as passwords or verification codes. 

Clone Phishing

A legitimate email is copied, and links or attachments are replaced with malicious versions while maintaining a familiar format. 

How to Identify Phishing Attempts?

Watch for these common warning signs:

  • Unexpected or urgent requests
  • Messages asking for sensitive information
  • Suspicious or mismatched links
  • Generic greetings (e.g. "Dear User")
  • Spelling or grammar errors, although with AI you may expect a well-written email
  • Request to approve logins or MFA prompts you did not initiate

Advanced Phishing Threats

Multi-Factor Authentication (MFA) Phishing

The Multi-Factor Authentication (MFA) service at Penn is referred to as Two-Step Verification. This service requires users to authenticate using Duo, which serves as the foundation of the university’s Two-Step Verification system.

While the Duo Mobile smartphone app is the most commonly used authentication method, users also have the option to use a physical security key, such as a USB hardware token (e.g., YubiKey) that plugs directly into their computer. You can read more on the benefits and challenges of using security keys in the University Almanac "Method for Two-Step."

Protect Against MFA Phishing

  • Never share MFA (Two-Step Verification) codes with anyone
  • Do not approve unexpected login requests
  • Pause and verify before approving push notifications
  • Use phishing-resistant MFA methods when available, similar to YubiKeys

QR Code Phishing (Quishing)

Malicious QR codes are used to redirect users to fake websites or download malware. QR codes hide the destination URL, making it harder to verify legitimacy before taking action. 

Where it appears:

  • Emails and attachments
  • Posters, flyers or physical mail
  • Fake invoices or notices

Protect Against QR Code Phishing (Quishing)

  • Avoid scanning QR codes from unknown sources
  • Verify the destination before entering credentials
  • Be cautious of QR codes in emails or unsolicited materials
  • Use trusted scanning tools or build-in-device scanners

General Best Practices

VIEW — Spot the Red Flags

  • Think before you click — Be cautious of urgent or high-pressure messages
  • Impersonation attempts — Messages pretending to be HR, IT, or other staff
  • Suspicious links or unexpected attachments
  • Requests for sensitive or confidential information
  • Unnecessary or unfamiliar QR codes
  • Unexpected Duo push notifications you did not initiate

VALIDATE — Practice Smart Security Habits

  • Verify requests through trusted channels
    (e.g., call the sender directly or contact your IT support team)
  • Inspect links and URLs carefully before clicking
  • Check QR codes before scanning (confirm the source and destination)
  • Do not approve repeated or unexpected Duo login requests
  • Avoid sharing sensitive information via email, text, or phone
  • Trust your instincts — If something feels off, pause and verify

VOICE - Report and Speak Up

  • Report suspicious messages immediately to your IT support team
    or the Office of Information Security at security@isc.upenn.edu
  • Why reporting matters:
    • Helps stop attacks quickly
    • Protects your data and University systems
    • Strengthens the overall security posture

Resources