Protect Your Pennkey (and other accounts)

  • Faculty & Staff
  • Students & Alumni
  • Visitors & Others

Stealing your Penn login credentials (PennKey) is often just the first step in a phishing attack: criminals will try to use this information to access other accounts (such as banking) tied to your email or even divert your direct deposits in Workday.

Fake login webpages are a favorite tactic to trick you into divulging your PennKey. To defend against this, it’s important to stay aware of where you enter your credentials.

Know Your Login Page

The official Penn single sign-on (SSO) page should look the same in all contexts, regardless of the university resource you access.*

 

Signs to look for:

  • Page URL starts with:
    https://weblogin.pennkey.upenn.edu/

  • Penn logo and “Penn WebLogin” appear in the page tab

 

 

 

 

 

 

 

 

 


 

*Logins to O365 web apps are an exception to this rule, as Microsoft uses its own authentication service.

Accept No Substitutes


Google Forms are a popular way for scammers to collect login credentials. Often, they will look nothing like the real login page:

 

 

 

Signs to look for:

  • May prompt for authentication code instead of Duo push notification
  • Includes warning under submit button NOT to enter passwords on this page:

 

Detail:

 

 

 

 

 

If you find yourself on an unfamiliar login page STOP!

Before entering your PennKey, ask yourself:

  • How did I get here?
  • Do I trust the source of the link?
  • Is there an alternate way I can verify this login request is legitimate?

When in doubt, ask your LSP! The SAS Computing team is always happy to review any message and help you determine whether it is genuine.

To further protect your online accounts, two-factor authentication should be enabled wherever offered. Passwords should be unique and as long and complex as allowed.

You may wish to use a password manager to keep track of all your logins. Penn offers Dashlane Premium for free to all faculty, staff and students. For more information, see: https://computing.sas.upenn.edu/faculty_staff/infosec/password-management

 

For more tips on staying secure online, check out these topics:

Phishing: https://computing.sas.upenn.edu/help/phishing
Student Job Scams: https://computing.sas.upenn.edu/hiring-phishing
Travel Abroad: https://computing.sas.upenn.edu/faculty_staff/infosec/travel-abroad