Over the last several days, many Penn students, faculty, and staff have received a number of scam “phishing” email messages.
These messages are designed to trick the recipients into revealing personal account information and they have been successful. A number of staff members have followed the directions and it has resulted in their email accounts being compromised. Once a compromise occurs, the email account is generally used to send out spam messages and other scams intended to compromise others. Because Pennkey passwords are also often involved the phishers can potentially access much more then just email.
To recover from a compromised account the staff member needs to expend a lot of effort resetting account credentials, having their accounts unlocked, and cleaning up their mailbox.
- Legitimate Penn departments and service providers should never solicit or initiate account administration activities or ask you to provide confidential information via e-mail.
- There is no “Upenn Team”, “EDU Webmail Team”, etc. at Penn.
- DO NOT RESPOND TO ANY REQUESTS FOR YOUR ACCOUNT INFORMATION VIA E-MAIL, TELEPHONE OR ANY OTHER MEDIA.
- Because this attack uses “social engineering” tactics to trick you, antivirus software and and other traditional computer based protective steps are not very effective. You need to help protect yourself.
More information from ISC Security is available at http://www.upenn.edu/computing/security/advisories/phishing.php
Thanks to Doug Smullens, IT manager for the Penn Libraries, for the above info.