How can I tell if an email is legitimate?

It is often difficult to tell for sure, so you should be skeptical about all email claiming to be from CETS, or elsewhere at Penn. Here are a few guidelines:

  1. Never give your password to anyone, even CETS, in response to an email.
  2. Never use email to send private information (e.g. Social Security or credit card numbers).
  3. Never enter confidential information into a website claiming to be from CETS or Penn unless you are certain the website is legitimate. A legitimate CETS or Penn website will have a University security certificate (see below).

To confirm that a website is managed by Penn, check the URL bar in your browser and find the lock symbol. When you click on the lock symbol, it should say

You are connected to upenn.edu

ISC has a guide Confirming a WebLogin Page is Legitimate. Here's an example of how the Google Chrome URL bar will display the security certificate for a valid PennKey login page:

Click on the green lock icon in the URL bar to view the full certificate information:

Generally, replies in an ongoing conversation or with specific references to an earlier conversation are more trustworthy than email sent "out of the blue", even from SEAS senders. If an email does not make sense, do not click on a link or open an attachment to get more information. Scammers often combine urgency and confusion to trick people into exposing their personal data.

If your instinct tells you something is probably spam/phishing, you're probably right. Just delete it. If you are concerned or unsure about the authenticity of an email, forward the email to CETS, and let us handle it.

© Computing and Educational Technology Services | Report a Problem
cets@seas.upenn.edu | 215.898.4707