This story is developing and will continue to be updated.
The Annenberg School for Communication warned members of its community of an apparent social engineering attack involving phone calls and text messages impersonating University contacts on Thursday.
In an April 2 email obtained by The Daily Pennsylvanian, Annenberg School’s Director of Information Technology Richard Cardona wrote to members of the school’s community that it has received “credible reports” of “advanced social engineering attacks” targeting Penn. According to the email, messages may appear to come from a legitimate phone number associated with the University and prompt users to visit a website to “maintain access” to their accounts.
“We are constantly improving our systems and have monitoring and systems in place to help address threats like these,” a University spokesperson wrote to the DP.
Seperate requests were left with Cardona and the Annenberg School.
The attacks, which Cardona described as not “traditional phishing emails,” may include calls or texts impersonating IT support, requests for “urgent action,” or directions to approve messages from Duo Security — the University’s two-factor authentication service.
Cardona wrote that receiving calls from individuals “who appear knowledgeable about Penn systems, terminology, or current events” may also be a “key red flag” for the attacks. He clarified that “Penn IT will not ask you to log in to external sites or approve unexpected Duo requests.”
The message also urged recipients not to follow instructions from unsolicited calls or texts and to contact IT support through a “known, trusted method.” Cardona advised community members to report any suspicious interactions, even if they are uncertain.
“These attackers move quickly once they gain access, and rapid reporting is critical,” he wrote.
The warning comes after several prior cybersecurity incidents at Penn, including an October 2025 breach involving accounts linked to the Graduate School of Education, when mass emails were sent from University-affiliated addresses to members of the Penn community.
In February 2026, the cybercrime group ShinyHunters claimed responsibility for the incident, releasing thousands of pages of additional internal University files. The post — which came days after a court filing claimed the breach “impacted less than 10 people” — alleged that the event affected 1.2 million records.
A University spokesperson previously told the DP that Penn completed a “comprehensive review” of the cybersecurity incident and notified affected individuals.
In December 2025, Penn investigated a separate cybersecurity breach of its Oracle E-Business Suite servers that compromised the personal information of University-affiliated individuals across multiple states.
While it was unclear how many individuals were affected in total, information filed with the Office of the Maine Attorney General indicated that the breach affected 1,488 state residents.
Senior reporter Ananya Karthik covers central administration and can be reached at karthik@thedp.com. At Penn, she studies communication and economics. Follow her on X @ananyaakarthik.
