What is Phishing?
Phishing is a type of scam where a malicious actor sends emails (and sometimes text messages) that are designed to look “official” and urgent, in order to get you to quickly click on a malicious link or respond in some way. They can be extremely deceptive, and they are frequently used to steal sensitive personal information (such as banking passwords) and university data.
You can help deter these attacks by keeping a lookout for phishing messages and always pausing to consider before acting on a message if it looks at all suspicious.
Below are some of the signs a message could be “phishy.”
Some Telltale Signs
The message might be a scam if it:
- claims to be an urgent matter requiring your immediate attention
- urges you to log in or click on the attachment right away
- impersonates an authority (such as a department chair or dean) who needs a speedy response
- says something bad will happen (“login now to retain account access”) if you don’t act quickly
- contains misspellings or grammatical errors
- has a sending email address doesn’t match who they claim to be (you can hover over the "send" field to see the true address of the sender)
- uses an email address that looks official, but isn’t (for example, something like "
" – note this is a gmail address that’s designed to look like it is affiliated with SAS but it is not a true upenn.edu email address)
You may have already seen examples of some of the phishing attacks that commonly target the Penn community. We've seen messages on campus that:
- attempt to trick you into revealing your password by directing you to a phony website made to look like an official login page
- offer internships or honoraria in return for giving a scammer your banking information or SSN
- look like a sudden request from your Dept Chair or advisor who needs gift cards purchased right away
- For actual examples of phishing emails seen at Penn, please see below
The Office of Information Security publishes phishing emails that are reported on campus. You can see additional examples they've collected on their phishing archive page.
What should you do?
- If you see a message that is obviously phishing, you can safely ignore and delete it.
- But, if you are unsure, you can try to reach the alleged sender another way (e.g., by phone) and ask if they sent the message.
- You can always ask your LSP. SAS Computing staff are happy to help by taking a look at anything on your computer that you think may be suspicious.
- You can forward the email to
and Penn's Office of Information Security will get back to you.
Never Share Your Passwords
Please know that Penn will never solicit your username, password or other private information (such as full or partial Social Security Number) in this manner. If you receive an email requesting you respond back or visit a website and provide any of this sensitive information, either delete or ignore it.
For more information about phishing, here are some helpful additional resources:
Tips from the Almanac regarding phishing attacks on 2-step verification
Information on SMS phishing attacks, or "smishing"
ISC's Information and Advice on Phishing and Spear Phishing information
Thank you for your help in maintaining a secure computing environment at Penn.
Here are some examples of phishing seen at Penn: