Office of Information Security offers tips to avoid scams exploiting COVID-19

March 24, 2020

UNIVERSITY PARK, Pa. — As the Penn State community shifts to working and learning online, cybercriminals worldwide have begun to exploit the fear and anxiety experienced in the wake of the novel coronavirus. These attackers have an arsenal of tools at their disposal, but the most commonly used phishing scams involve exploiting existing relationships to get the victim to take a specific action — like clicking on a link, downloading a file, or providing sensitive information.

Penn State’s Office of Information Security (OIS) has seen a surge in malicious activity, a trend expected to continue in the coming weeks. You can avoid these scams and the risk they pose by learning to recognize them. With that in mind, OIS would like to share the following prudent information:  

Law enforcement agencies have seen an increase in criminals attempting to exploit COVID-19. This could mean creating fraudulent websites (including clickable maps of the pandemic) embedded with malware, sending fraudulent emails with malicious embedded files or links, or sending text messages appearing to come from people in authority with “new information” regarding the pandemic. In the coming weeks, it is also likely we will see an increase in business account takeovers.

Attackers have attempted to impersonate government agencies, including the IRS, CDC, FEMA, and WHO. When searching for information regarding COVID-19, go directly to these organizations’ websites by typing their addresses in your browser — don’t click on any links that come into your email box or respond to any text messages that appear to be from these sources. Never give out personal or financial information via email.

Attackers have attempted to impersonate deans, chancellors, VPs, and other people of authority in collegiate institutions, including Penn State. They may send emails asking you to purchase gift cards, provide passwords or sensitive information, or take similar actions. Attackers use a strong sense of urgency in their messages: “this needs to be done right away, but I can’t get out right now.”

Gift card scams and stealing credentials remain popular methods of attack. In gift card scams, attackers will tell their victims that they need to purchase a gift card (for whatever “business” reason) and provide the information to them. They’ll use whatever excuse is convenient, and once the victim provides the card information, the funds can’t be recovered. Attackers have used a similar approach for stealing credentials, again leveraging the existing relationship and trust to get the victim to provide passwords or login information.

Recognizing the “warning signs” for phishing scams is the first step toward avoiding them. Here are some things to watch for:

An “urgent” request that must be completed right away. The attacker who poses as a university official may say things like, “I can’t get out of my house right now” or “this has to be done immediately” or “I’m tied up today — can you take care of this ASAP?”

An action that isn’t typical or deviates from protocol. This may include purchasing a gift card and providing them the number or sending financial information via email or text. 

An attempt to get you to take a specific action, such as clicking on a link, opening a file, or providing sensitive information that the real person may ordinarily have access to, such as password or login information.

Any request for financial information, personal information, or login information via email. Most legitimate companies never have a reason to ask you for this information via email, so be extremely cautious when asked to do so.

You can always learn more about phishing scams and how to avoid them by visiting OIS’ dedicated website: phishing.psu.edu. You may also visit security.psu.edu to learn more about digital security best practices.

Last Updated March 24, 2020