Skip to main content

One Step Ahead: Protecting Against Phishing

One Step Ahead logo

Another tip in a series provided by the 
Offices of Information Systems & Computing 
and Audit, Compliance & Privacy.

According to Verizon’s 2016 Breach Report, “phishing” — the attempt to obtain sensitive information or gain access to a system through deceitful email— continues to be a major source of fraud, resulting in the theft of personal identities, sensitive information and even property or funds.          

Phishing is characterized by urgent language stating that immediate action must be taken in order to prevent serious negative consequences (e.g., termination of an account). These attack messages press you to provide sensitive or personal information, either via email or on a linked website. These demands frequently contain telltale flaws; generic salutations, grammatical errors and spelling mistakes can be a tip-off that something is amiss.    

A more targeted version of this type of attack is known as “spear phishing.” Spear phishers misappropriate specific language and images from legitimate institutional communications (e.g., Penn logos, names of Penn organizations, or Penn-specific terms like “PennKey”) in order to lure users to malicious websites.

Spear phishing can target specific individuals as well as groups. Phishers may closely examine organizational charts and public website information for details that allow them to impersonate a supervisor, business administrator, or other trusted source via email. These emails often urge recipients to act quickly while also discouraging further follow-up. Comments like “Please do this ASAP; I will be away and can’t be reached by phone,” are a clue that a message may be fraudulent.

To further protect yourself against phishing:  

• Try to confirm offline any electronic communications that expect you to initiate financial transactions with unfamiliar partners, or in undue haste.            

• Speak with your Local Service Provider (LSP) about using Penn’s SafeDNS service, which blocks connections to known malicious web addresses. 

• Report email that JDLR (Just Doesn’t Look Right) to security@upenn.edu The sooner possible phishing threats are identified, the quicker they can be stopped from ensnaring others at Penn.  

To learn more, visit:

• http://www.upenn.edu/computing/security/phish/

• http://www.upenn.edu/computing/security/advisories/phishing.php

________________________________

For additional tips, see the One Step Ahead link on the Information Security website: www.upenn.edu/computing/security/

Back to Top