Wellness and well-being are woven into the life of Penn’s campus for students, faculty, postdocs, and staff. In the fourth part of a series highlighting University resources aimed at supporting the campus community, Penn Today speaks with staff from the Information Systems & Computing (ISC) Division about how they partner with campus information technology teams to secure and maintain the vital systems keeping the Penn ecosystem safely connected. They also offer resources to assist the Penn community in protecting data and privacy.
With cybersecurity threats continually evolving, information security remains a top priority, according to Nick Falcone, executive director of information security at ISC and Penn’s Chief Information Security Officer.
One of the greatest threats is phishing, Falcone says. “Phishing attempts are an ongoing challenge, with attackers frequently targeting individuals via emails designed to steal credentials,” he says, emphasizing the importance of understanding how modern phishing attacks operate.
Phishing emails can come in various forms, from shipping notifications to IT department requests. “One thing we’ve seen recently is phishing attempts posing as urgent HR communications or financial documents,” Falcone says. “In those cases, people need to slow down and think carefully before clicking.”
Penn’s security team encourages users to report any suspicious activity, even if it’s a false alarm. “We want to get nine false positive reports for every one real one.
“Even if everything looks legitimate, it’s worth the extra step to confirm,” he says. Whether it is an email asking to authenticate or change a Penn Key or a third-party vendor communicating a change in bank information, it is always best to confirm through a trusted contact before sharing any sensitive information.
Payroll redirects, Falcone says, are another scam to look out for. They typically involve hackers redirecting employee paychecks to fraudulent accounts. “If you see anything odd with your paycheck or receive a notification from Workday that you didn’t expect, contact us right away.” The division also advises staff to regularly review their paycheck information and report unusual activity.
Resources to secure your data, email, and privacy
Phishing & Spear Phishing offers a guide to recognizing phishing emails and how to report them directly to ISC’s security team at security@upenn.edu. There is also online training for information security.
Two-step verification using Duo at Penn adds an extra layer of protection by requiring you to approve logins through an app or phone.
The University offers Dashlane to provide the community with safe, secure password management and offers guidance on protecting users’ PennKey.
ISC has also developed Workday Security Resources, which include detailed instructions on how to check your payroll information for signs of tampering.
Partnership with DPS
ISC partners with the Department of Public Safety (DPS) and local law enforcement to act fast when these incidents occur. One notable area of collaboration is in responding to sextortion attempts.
“These are becoming more common,” Falcone says. “People are often tricked into believing that compromising material about them exists, and scammers use that fear to extort money.” In these cases, ISC and DPS work to quickly assess the situation, helping victims understand that these threats are typically baseless.
Recently, DPS issued a warning for users to be aware of the signs of these types of email scams. The first line may contain personal information, such as a student’s parents’ names and address or other personal information which is publicly available in an attempt to apply pressure on the recipient to respond.
DPS recommends ignoring this type of message and alerting ISC immediately. You can also contact specialservices@publicsafety.upenn.edu should you have any questions or concerns. Additional support and resources:
Beyond financial scams and phishing attacks, ISC works with DPS to monitor threats to the campus’ overall digital security. “Whether it’s sextortion, ransomware, or fraud, it’s our job to make sure the community is protected,” Falcone says. “We’re always here to help.”
