As the COVID-19 virus dominates the news, the Penn Office of Information Security (OIS) and other information security affiliates have identified a disturbing new trend: COVID-19 phishing scams. Cyber scammers are taking advantage of your desire to learn more about the coronavirus to lure you into opening malicious email attachments or clicking on fake website links, all in an effort to steal your identity and harvest your credentials.
Background
These scams include, but are not limited to:
COVID-19 Scams
- Fake websites with web-addresses (URL) like “coron-virus-map [dot]com” or “corona-virus-map[dot]com” that are designed to steal sensitive data.
- Emails with links to fake web-login screens designed to steal employee credentials, such as your PennKey and password or other login information.
- Email messages with malicious links claiming to provide information on how to protect yourself and your family from the coronavirus. When you click the links, malware or ransomware is download to your computing device and used for financial gain.
- Malicious phone apps with names like “coronavirusapp[dot]site” designed to load ransomware on phones.
- Text or email messages with malicious links prompting the recipient to click on a link claiming to direct individuals to get the amount of money issued by the federal government stimulus relief package. According to the Federal Trade Commission (FTC) the government will not ask you for your social security number, bank account number or other financial information, nor to pay anything upfront to receive the money.
What to do?
The IT professionals at ISC are working diligently to block identified malicious web addresses and email messages at the Penn network border. However, with many Penn affiliates now working, teaching, and learning remotely, you should take the following steps to help keep your computing devices, Penn-sensitive data you have access to, and your personal information safe:
- Download and run an anti-virus on your home and work computing devices. Check with your School or Center IT support staff on the best anti-virus to use.
- Verify Penn-related emails urging you to click on links or attachments by contacting your School or Center IT support staff. Report suspicious emails, text messages, or chat announcements to your IT support staff or to phishing@upenn.edu.
- Back up your data frequently to avoid work interruption and denial of access.
- Enable and use two-factor authentication whenever possible, including on your personal email account and on websites, you visit.
- Seek information from credible resources, e.g., “My HR” / Penn Human Resources, the CDC, and official state and federal websites.
- Avoid sharing personal and sensitive information including financial information in an email or text, or on a phone call. Delete any message soliciting such information, and end the phone call without providing any sensitive information.
External Resources
- FTC Coronavirus Scams
- FTC Checks from the government scam
- CNBC Coronavirus scams, feeding off investor fears, mimic fraud from the 2008 financial crisis
- Homeland Security Cyber Infrastructure (CISA) Defending Against COVID-19 Cyber Scams
- FBI Warns of Money Mule Schemes Exploiting the COVID-19 Pandemic