Beware of phishing scams and holiday spam

Fraudulent e-mails that appear to be coming from University locations such as, and continue to be sent to Penn State faculty, staff and students. These e-mails, which ask recipients to provide their individual user ID and password, are part of a variety of dangerous phishing scams, which have targeted all colleges and universities since 2008. The e-mail messages are NOT sent by administrative offices at Penn State. Do not reply to these messages, as they are not legitimate and could lead to the compromise of your access account, your computer or your data. ITS strongly recommends that the messages be deleted. Anyone who already has replied to one of these fraudulent messages should contact Security Operations and Services (SOS) at 814-863-9533.

"Never give your password to anyone under any circumstances," said Kathy Kimball, senior director of SOS. "Passwords are an essential part of each person's Penn State digital identity and must be kept as secure as possible. The University (and other official organizations) will never require anyone to provide sensitive information such as passwords, credit card numbers, or Social Security information via e-mail."

Most phishing schemes come in the form of unsolicited e-mail, with phrases like, "we need to confirm your account, please click here." However, the link leads users to a false Web site, and then prompts them to provide personal information such as their password, address, Social Security number, credit card data and more. The "phishers" then use the information to commit identity theft, a type of criminal activity that can include creating false bank accounts, maxing out credit cards and taking out loans in the victim's name.

Penn State also urges students, faculty and staff to watch out for the increasing amount of holiday spam messages that are fake postcards -- or typically offer fake Rolexes, seasonal gift suggestions, or the chance to win money for holiday spending at this time of year. Holiday spam can lead recipients to phishing sites, install malware, or turn victims' computers into 'zombie machines,' according to SOS staff, and should be deleted immediately.

Even if a company address may look legitimate, it's important to never send private information in response to an e-mail of this kind.

For more information about how to protect your personal data from phishing scams and other dangers, visit the Penn State's Take Control Web site at online.

Last Updated December 17, 2009