Attention: Recent Phishing Attacks
Yesterday, the Duke community experienced a wave of phishing attacks with the following subject lines:
- Unicef Employment
- Urgent Warning
- No Subject Line
Some of the messages contained links in the actual message, a PDF file with a single link, or a PDF file offering the recipient a job with Unicef and the Gmail address to contact.
If you responded to one of these messages AND provided your Duke credentials (username, password, security questions, or MFA codes) immediately contact the Duke Service Desk - oit.duke.edu/help – or Duke’s IT Security Office - security.duke.edu for assistance in resetting your password. You can also email firstname.lastname@example.org or email@example.com.
This message is a reminder that -
DUKE WILL NEVER ASK FOR YOUR PASSWORD OR MFA CODES. DUKE WILL NEVER ASK FOR THE RESPONSE TO COME FROM A NON-DUKE ADDRESS.
If you receive SMS texts with new Duo codes or receive a Duo push and were not expecting it, then you should NOT respond and report the occurrence to firstname.lastname@example.org.
The attacker is taking advantage of recipients to bypass Duke’s multifactor authentication security protocols by trying to convince students, faculty and staff to provide their credentials on a fraudulent webpage OR contacting the Duke user directly if they have provided their cell phone number and asking them to provide the DUO code. Unfortunately, some have provided the information, allowing the attacker to contact thousands more in the Duke system.
As a reminder, the best way to submit suspicious emails to IT Security is via the "Report Phish to Duke" button available in any Outlook client (PC, Mac, web or mobile). We encourage faculty and staff to also sign up for IT Alerts -- https://status.oit.duke.edu – for updates in real time.
October is Cybersecurity Awareness Month: Duke faculty and staff will be invited to participate in an annual security challenge to raise awareness around phishing attacks.
In October faculty and staff can also choose to opt in and agree to participate in additional simulated phishing for a chance to win prizes. Participants will receive a phish each workday between October 3-21 and report it using the “Report Phish to Duke” button to receive up to 60 additional points in the Duke Security Challenge. Points add up to prizes! To raise awareness around phishing, you can sign up for phish testing. Learn more at security.duke.edu/news/take-duke-security-challenge-october.