Staying protected from COVID-19 phishing schemes

Nick Falcone, Penn’s information security officer, recommends taking extra steps to keep technology secure during such unprecedented times.

Nick Falcone seated at his desk in front of his dual-monitor computer
Nick Falcone, executive director of Information Security.

As we all adapt to a new normal in the coming weeks, moving most work online, it’s important to take guarded steps to keep our technology secure. As has been seen with other crises throughout the years, unprecedented circumstances often lead to fertile ground for cyberattacks. COVID-19 is proving no different.

Phishing scams in particular have notably popped up across the nation, deceiving people through email or imposter websites that steal their personal information. Nick Falcone, Penn’s information security officer, says he hasn’t seen any instances where the University was targeted, but there have been plenty of examples at peer institutions that should lead us all to take extra precaution.

In these trying times, Falcone says Penn faculty, staff, and students should pay extra close attention to email addresses that might be impersonating an administrator within the university. These might look like “upenn.edu” addresses, but often end with “gmail.com.” Emails like these could link out to illegitimate websites, which resemble real ones, asking maliciously for login information and passwords and other personal information.

There are also cases when the fraudulent emails include attachments that attack people’s computers when they are opened, says Falcone. Others might suggest suspicious asks: such as the unique purchasing of gift cards or donations of funds.

When it comes to phishing, it’s very easy to be deceived, explains Falcone, and no one should feel shame if they fall into the trap. “It is the full-time job of the bad guys to trick you, and it’s not our full-time jobs to not get tricked,” he says. “They are good at their jobs, very deceptive, and there are hundreds of them for every one of us.”

If someone within the Penn community comes across any suspicious messages or websites, or thinks they might have been deceived, Falcone says they should immediately reach out to their local IT team. They can also reach out to phishing@upenn.edu.

“Our IT crews and my team at the Office of Information Security really have everyone’s backs,” says Falcone. “We can almost always fix whatever harm has been done if they reach out to us quickly.”

Aside from work- and school-related content, Falcone also suggests people keep a close eye on scams targeting social media as well. “It’s good to be well-defended there too,” he says.

One way to ensure added security is to enable two-step verification on any applications that allow it. In addition, Falcone says, be sure to keep at-home computers updated, and install antivirus software. Penn even offers free Symantec Endpoint Protection.

Going forward, Falcone says Penn will continue upping its abilities to fight phishing by providing more training to IT departments, through online videos, as well as providing phishing simulation tools and other resources to interested schools and centers.

“By promoting awareness,” says Falcone, “we really have a chance to be ahead of the game.”