Another tip in a series provided by the
Offices of Information Systems & Computing
and Audit, Compliance & Privacy.

____________________

Recently, fraudulent emails have been circulating through several Schools and Centers disguised as official communications from Penn Human Resources or Payroll regarding salary increases or your pay advice. These emails contain links to web pages which request sensitive data such as Social Security numbers, banking information, PennKey username and password or other personal information.

Should you receive a message of this nature, report it immediately to your Local Support Provider (LSP). Your LSP is listed at https://www.isc.upenn.edu/get-it-help These emails are not from Penn Human Resources or the Payroll office; they are designed to gain unauthorized access to your personal information in an attempt to steal your pay.

The University will never ask for your Social Security number or personal banking information in an email.

There are steps you can take to help you evaluate whether an email is legitimate:

• Carefully assess emails that tell you to take immediate action. Fraudulent emails often try and create a sense of urgency, threat or alarm to force you to act quickly without thinking.
• Confirm the origin of emails requesting personal information. If a suspicious email references a department or group, contact that organization directly for verification that the email is legitimate. Do not rely on any phone numbers or links contained in the email. Instead, use their Penn webpage or the Penn Directory for contact information.
• Check Penn’s list of reported fraudulent (phishing) messages: http://www.upenn.edu/computing/security/phish/

You can further protect your PennKey username and password by using two-step verification. Two-step verification adds an extra layer of security whenever you log in with your PennKey username and password. In addition to your PennKey password, which is something only you should know, two-step also utilizes something only you have, such as your smartphone.

For more information on two-step verification see: http://www.upenn.edu/computing/weblogin/two-step/

If you believe you may have responded to a fraudulent message, contact your LSP immediately for assistance. You will also need to change your PennKey password, and confirm that your financial and Penn Directory information has not been changed.