UNIVERSITY PARK, Pa. — Penn State University Police and Public Safety is urging the Penn State community to be wary of individuals who scam unsuspecting victims out of cash and more through emails and other communications — while disguised as someone victims trust.
Known as “phishing,” these scams are on the rise and taking different forms during the pandemic, with more online activity occurring. The criminals initiating these scams pose as police officers, pastors and even professors and other Penn State employees and business affiliates to persuade victims to help the criminals by taking actions that require the use of the victim’s cash, bank accounts, passwords, Social Security numbers and more. It is important that anyone who receives such a request by email or text be extremely skeptical and review the safety tips below before taking any action.
“The primary concern of University Police and Public Safety is the well-being of the community members we serve. We routinely work to educate the community on steps to take to avoid becoming a victim, and in the event that a scammer has been particularly convincing, we are here to support victims,” said Charlie Noffsinger, associate vice president of University Police and Public Safety.
Multiple victims within the Penn State community have responded to such scams in recent weeks, including suspects claiming to be professors and asking students to cash fraudulent checks. Any Penn State student or employee who believes they may be a victim of a similar scam is encouraged to report the crime to their campus police station or online. Other reported phishing schemes have involved criminals posing as business associates and asking for changes to bank routing numbers, addresses and more.
“Penn State has made significant improvements in recent years in detecting and blocking phishing messages from getting delivered to Penn State inboxes,” said Richard Sparrow, Penn State’s acting chief information security officer in the Office of Information Security. “We block thousands of malicious messages every day, but cybercriminals continue to evolve their tactics and will find ways to get their phishing messages delivered. As a result, phishing messages have become more tailored to feel and look familiar to a potential victim.”
Penn Staters should regularly visit phishing.psu.edu, Penn State’s dedicated phishing website, to view the latest phishing alerts and to learn more about phishing. To protect yourself further against phishing scams, Penn State recommends these tips:
Suspect the unexpected. Most phishing attempts come from what appear to be legitimate sources. Some scams look very convincing, with letterhead or other indicators. If you’re not expecting an attachment (for example, a package invoice) from someone, even if you know them, don’t open it.
Call to confirm. If you’re unsure about the legitimacy of an attachment or email, call that person to confirm. For example, if you receive a notification from “UPS” about a missed package, call them directly to make sure it’s real. If you receive an email or online message from a business associate requesting you to take action on a matter, pause and make a direct telephone call to that individual.
Never surrender. Don’t ever give up your personal information. Scammers will often try to get you to “reset your password” by clicking on a link. Penn State will NEVER ask you for your Social Security number, WebAccess account password, or other sensitive information via email.
More is more. Use two-factor authentication (2FA) to add an extra layer of protection to your email, social media and other online accounts. Penn State faculty, staff and students are required to use 2FA for their WebAccess account.
Report phishing emails and texts
Any Penn State student or employee who responded to one of these scams should report it to Penn State police by calling their Penn State police station or filling out an online form. University Police can provide victims with support and work with other law enforcement agencies to identify suspects for prosecution.
Penn State also has a dedicated email address for reporting phishing attempts: firstname.lastname@example.org.
Sparrow said that reporting phishing emails to email@example.com has a real impact and aids the Office of Information Security in finding and blocking phishing messages before people can fall victim to them.
People should also take extra caution when pulling email messages out of junk and quarantine folders. This is good advice whether using Penn State's email system or your personal system, Sparrow said.