UNIVERSITY PARK, Pa. — A co-worker emails you, asking for a favor. It won’t take long. Your colleagues will appreciate the help and you’ll be reimbursed for your expenses.
Full stop. These should be red flags, even if they seem harmless and come from an email account that appears familiar and friendly.
In actuality, these are spear phishing attempts, or fraudulent messages, sent by attackers posing as Penn State employees, to ask for a favor, service or money. Their real intent is to steal personal information, gain access to University data, or worse.
Penn State’s Office of Information Security (OIS) has detected an increased volume of these phishing email attacks against University employees in recent weeks. Specifically, attackers are sending emails that appear to be from Penn State users, primarily co-workers who are asking victims to purchase gift cards worth hundreds of dollars from places like Target, Amazon and Google Play with a promise they will be reimbursed.
“These attacks are highly targeted and personalized to one person or a group of Penn State employees who share a connection,” Rich Sparrow, Penn State acting chief information security officer, said. “Hackers can spend months monitoring groups in order to collect data to create a convincing message.”
The gift card scams have come from attackers using accounts that closely resemble Penn State Access IDs such as userid1234.psu.edu@gmail.com. They always insist on communicating via email rather than on the phone and usually always contain a specific ask.
In the case of the gift card example, victims are being asked to purchase multiple gift cards for someone posing as a coworker or supervisor, scratch off each card’s silver security panel, and send photographs of the card’s redeem code back to the original sender.
“The best way to defend yourself is to be aware,” Sparrow said. “Verifying that it is indeed a coworker with a phone call if you are suspicious is always your best bet for determining whether a sender is legitimate or not.”
While Penn State cannot refund employees who have used personal funds when they’ve fallen victim to these scams, OIS recommends all users report emails they suspect to be phishing attempts to phishing@psu.edu. Learn more about how to spot phishing emails at www.security.psu.edu.
If you believe you’ve been targeted by a phishing scam, OIS encourages you to:
Be wary
Plenty of phishing attempts may have spelling, grammar, or other glaring mistakes that can tip you off. Some of the most sophisticated phishing attempts will appear to come from people you trust.
Be wary of emails that ask you to open a file, click on a link, or enter information into a form. Be especially careful of emails that ask you to enter your Access Account information. Remember: you wouldn’t give a stranger the keys to your apartment — when you give up your Access Account information, you’re doing the same thing with your digital space.
Confirm before you click
Trust your instincts. If an email seems suspicious, call the sender or email them directly. If you click on a phishing email “just to check” if it’s really from a friend, coworker or classmate, it may already be too late, as simply clicking on a link can infect your system with malicious code.
Details matter
Sometimes a phishing attempt will try to use information that they know about your organization to create a more authentic-sounding message. Read the message carefully and think about the style and tone: Does it match the sender’s usual style and voice? Does it use terms that your organization does not? For example, Penn State doesn’t refer to your WebAccess ID as your “PSU username.”
Report It
When in doubt, file a report. You can always email phishing@psu.edu if you have concerns about an email you believe was sent as a phishing attempt.