Skip to main content

One Step Ahead: Don’t Get Caught by Targeted Email Attacks

Another tip in a series provided by the Offices of Information Systems & Computing and Audit, Compliance & Privacy

Don’t Get Caught by Targeted Email Attacks

The autumn of 2018 saw an increase in targeted email attacks, or “spear phishing.” These attacks leverage a familiar name or job position, like that of a friend, coworker, supervisor, dean or some other authority to gain your trust, and are often aimed at a members of a specific organization or group.

Targeted email attack messages have specific characteristics:

  1. The message seems to originate from someone you know. The sender’s name and title looks or sounds legitimate (for example, the sender may appear to be a dean of a particular School or Center), but the email is actually sent from a non-University email address (that ends, say, in @gmail.com).
  2. The message prompts the recipient to take action, such as asking the recipient to click on a link or download something, or purchase a gift card and send back the card’s code.
  3. The message carries malicious code. Once the recipient clicks on a link or opens an attachment, malicious code in the form of malware, ransomware or spyware is installed on the computer. This malicious code may grant a hacker control over your computer or sit silently collecting keystrokes and information.

To prevent becoming a victim of targeted phishing, follow these basic tips:

  • Verify—Check the Penn directory to ensure the sender’s email address is correct, and if possible contact the sender or your IT department to confirm that the message was sent to you.
  • Avoid clicking on links or attachments, no matter how urgent the message sounds.
  • Install antivirus software and run it at least once a week. Penn provides Symantec Endpoint Protection for no cost to Penn constituents.
  • Keep your software up to date including your operating system, antivirus, firewall, and your browser plug-ins, e.g., Adobe Flash, etc.
  • When using your personal computer or a computer not managed by your department’s computing support staff, install or turn on the firewall.

To help protect yourself and others, always report any suspicious email messages to your local computing support, or email the Office of Information Security (OIS) at security@isc.upenn.edu

For additional tips, see the One Step Ahead link on the Information Security website: https://www.isc.upenn.edu/security/news-alerts#One-Step-Ahead

Back to Top