NOTICE: Increase in Phishing Scams Utilizing Legitimate Services

U-M students and employees have reported incidents of phishing that leverage legitimate services, such as Duo and Docusign, to lure them into providing a Duo passcode or accessing documents that link to fake login pages.

Threat actors are increasingly using legitimate services for malicious activities including to obtain login credentials, Duo passcodes, and other personal information.

Threat actors may obtain login credentials, Duo passcodes, and other personal information.

How to Protect Yourself 

• If you receive a Duo prompt that only gives you the option to use a passcode, report it.
• If you receive a Duo push when you are not trying to log in, click “Deny” and report it as fraud in Duo.
• If you receive a suspicious message, such as an unexpected document through a document service, report it.
• Before entering your UMICH (Level-1) password on a web page, check the web address/URL. UMICH Single Sign On begins with https://weblogin.umich.edu/.
• See the phishing alerts below for  more details about recognizing these types of scams.

Document Services: Threat actors send phishing email from services used at U-M like DocuSign, Google, Office365, or Adobe Creative Cloud to lure you to a document with a link to a fake login page.

Duo: The Duo service is leveraged in two different ways to trick people into providing login information and/or Duo passcodes.

• A threat actor uses a fake login page to capture a person’s login information. The fake login then leads to a fake Duo prompt, specifically asking for a passcode. If the person then enters a Duo passcode (or passcodes), they can be used, along with the stolen login information, to access accounts fraudulently.
• An unexpected Duo push is sent to a person when they are not trying to log in. In this situation, a threat actor has used their stolen login information to log in to their account and is attempting to use Duo to complete the multi-factor authentication. If the person clicks “Approve”, the threat actor will be able to access their account. Pushes may occur repeatedly and persistently, trying to get the person to approve -- capitalizing on multi-factor authorization fatigue.

If You Get Caught

If you gave personal information in response to a phishing email or on a suspicious webpage, your account may be compromised.

• Change your UMICH (Level-1) password and follow the instructions at What to Do if Your Account May Be Compromised.
• Carefully review any online account that became vulnerable as a result of responding to the scam.

Report Suspicious Email or Request

• Google at U-M users can forward phishing email to ReportPhish@umich.edu; include what Google calls the original message. Michigan Medicine Outlook/Exchange users can use a Report Phishing button. For details, see Report Phishing.
• Report other suspicious requests or prompts by sending a description of your experience to ReportPhish@umich.edu.