Q: How can I tell if emails asking me to verify my password are legitimate?

Credit: Penn State. Creative Commons

A: According to Penn State Information Technology Services, Penn State will never solicit you for personal information such as your Access Account Password. Any email seeking that information is fraudulent and should be deleted.

A few new phishing email scams targeting the Penn State community have come to light recently. If you are getting messages claiming to be from the Help Desk or the IT department seeking verification of your password or other identifying information, know that these did not come from Penn State. Do not click on any of the links in these emails. They are phishing scams and should be deleted.

Your Penn State password, if stolen, can be used for much more than just accessing your computer and your email. One key example of your password's value is that as a Penn State employee, your User ID and password allow you to see your benefits package, where you Social Security number can be found.

Phishing is a fraudulent process used by spammers to acquire sensitive information from users such as usernames, passwords and credit card details. It is sometimes easy to be deceived by phishing attempts since messages appear to be sent by legitimate and trustworthy sources, such as Penn State Webmail, IT Support, Penn State IT Helpdesk, etc.

In recent days, Carrara Education Technology Center staff members have noticed a number of new spam and phishing attacks that attempt to obtain user ID and password information by appearing to come from the "Penn State IT Helpdesk." These messages often contain spelling errors or unconventional sender addresses. If clicked, links direct users to a fake website and ask them to enter private information. Anyone who receives a message fitting this description should close the message immediately, mark it as spam/junk and empty the trash. Do not click on any of links in these messages.

Questions about the messages should be directed to the College of Education Technology (CETC) staff to verify whether or not the email is legitimate.

The following guidelines, adapted from Stay Safe Online, will help to protect users against phishing and minimize its effects.

— Watch out for "phishy" emails. The most common form of phishing is emails pretending to be from a legitimate retailer, bank, organization or government agency. The sender asks users to "confirm" personal information for some made-up reason such as an account is about to be closed, an order for something has been placed in the user’s name, or the user’s information has been lost because of a computer problem. Another tactic phishers use is to say they're from the fraud departments of well-known companies and ask to verify information because they suspect the user may be a victim of identity theft.

— Don't click on links within emails that ask for personal information. Fraudsters use these links to lure people to phony websites that look just like the real sites of the company, organization or agency they're impersonating. If users follow the instructions and enter personal information on the website, that information will be delivered directly into the hands of identity thieves. Instead, check whether the message is really from the company or agency by calling it directly or going to the institution's homepage and “drill down” to where you need to go. Look for spelling errors as well.

— Never enter personal information in a pop-up screen. Sometimes a phisher will direct users to a real company, organization or agency website, but then an unauthorized pop-up screen with blanks in which to provide personal information will appear. Information provided in that screen will go to the phisher. Again, close the box.

— Only open email attachments if you're expecting them and know what they contain. Even if the messages look like they came from people you know, they could be from scammers and contain programs that will steal your personal information.

— Know that phishing also can happen by phone, from someone pretending to be from a company or government agency, making the same kinds of false claims and asking for personal information.

— If someone contacts you and says you've been a victim of fraud, verify the person's identity before you provide any personal information. Legitimate credit card issuers and other companies may contact you if there is an unusual pattern indicating that someone else might be using one of your accounts. But usually they only ask if you made particular transactions; they don't request your account number or other personal information. Law enforcement agencies also might contact you if you've been the victim of fraud. To be on the safe side, ask for the person's name, the name of the agency or company, the telephone number and the address. Get the main number from the phone book, the Internet or directory assistance and call to find out if the person is legitimate.

— Job seekers also should be careful. Some phishers target people who list themselves on job search sites. Pretending to be potential employers, they ask for Social Security Numbers and other personal information. Follow the advice above and verify the person's identity before providing any personal information.

— Be suspicious if someone contacts you unexpectedly and asks for your personal information. It's hard to tell whether something is legitimate by looking at an email or a website, or talking to someone on the phone, but if you're contacted out of the blue and asked for your personal information, it's a warning sign that something is "phishy." Legitimate companies and agencies don't operate that way.

What to do if you've been 'caught'

If you have fallen victim to a phishing scam and sent out your details to the phishers, immediately take the following steps:

Change Passwords, contact institutions, close accounts. If you gave your Penn State user ID and/or password, contact the CETC Help Desk immediately. Depending on how much information you revealed, you also should log into your relevant accounts and change your passwords. If possible, also change your usernames. This will stop the fraudsters from accessing your accounts with the information you sent them. Contact your banks and financial institutions and make them aware of the situation. They should be able to give you further help and advice. If needed, you may actually want to close accounts that have been compromised.

File a police report. File a police report as soon as possible where your credit cards, etc., were stolen. This proves to credit providers you were diligent, and is a first step toward an investigation if there is one.

Put a "fraud alert" on your files at the credit reporting bureaus and with the Social Security office. This should stop the phishers from making an application for credit in your name.

For other advice for ID theft victims, contact the Federal Trade Commission's ID Theft Clearinghouse at http://www.ftc.gov/bcp/edu/microsites/idtheft/ or by calling 877-438-4338, TDD 202-326-2502. View the college’s Disaster Tolerance Response Policy at http://ed.psu.edu/internal/outreach-office/disaster-tolerance-response.

Last Updated April 13, 2016