Scammers gonna scam: What you can do to prevent falling for phishing attacks during COVID-19

"Be critical of messages from unknown senders while working remotely."

You receive an email from your boss, who says she needs something from you quickly, and she wants you to text her for further instruction.

Or maybe it is a message claiming to be urgent COVID-19 news from Purdue, with a link to a website you’ve never seen before, where you’re asked to enter your Purdue user name and password.

An influx of new phishing attacks and strategies that cybercriminals are using to get your cell phone number, Purdue credentials, even money and gift cards will continue as members of the Purdue community adhere to the stay-at-home orders in place across the United States.

“Reports of scammers impersonating deans and other senior administrators are on the rise,” says Anthony Newman, interim chief information security officer for ITaP. “It’s important we all stay vigilant to phishing attacks, especially while we work remotely.”

The most important thing to remember is to double-check, sometimes triple-check, that an email or text message is legitimate and not a scam. Supervisors should use appropriate, recognized channels to communicate with employees. Consistency and redundancy in communication methods are key to ensure faculty, staff and students know what’s “normal” and which requests look out of place.

Here are some tips and best practices to avoid getting scammed:

  • Check the domain of the sender’s email address. If it is not @purdue.edu, be skeptical. Keep in mind that often smartphone email apps only display the sender’s name by default, but not the full email address. For example, an iPhone requires you to tap on the sender’s name to reveal the full email address.
  • If it is an @purdue.edu address, but the request seems odd, be skeptical.
  • If the email asks that you act fast to avoid a serious consequence, be suspicious.
  • If an email says to click on a link, move your mouse to hover over it to see where it actually leads. If you even think there’s a problem, don’t click.
  • If the email is addressed to no one or includes a generic greeting such as “colleagues” and contains few details, it’s likely a scam.
  • When in doubt, contact the purported sender of the message through another, official channel, by phone if you have their number or by using Skype or WebEx for a video call, for example. Messaging or calling new phone numbers provided in a questionable email or text message may just get you to the scammer on the other end.
  • Finally, it is important to report any attempted scam to ITaP security by sending the email in question as an attachment to abuse@purdue.edu.

Remember, there are no consequences for being overly cautious. There are, however, bad consequences if you fulfill a cybercriminal’s request.

If you have questions or need assistance, you can call or email ITaP customer service at 765-494-4000 or itap@purdue.edu.

For more information about how to protect yourself from online scams, visit https://purdue.edu/securepurdue.

Last Updated: April 9, 2020