There has been an increase in phishing scams that utilize or imitate legitimate U-M services, such as Duo and DocuSign. Please be aware of these ongoing scams and share this information with faculty, staff and students in your unit.
This notice was originally posted on safecomputing.umich.edu.
U-M students and employees have reported incidents of phishing that leverage legitimate services, such as Duo and Docusign, to lure them into providing a Duo passcode or accessing documents that link to fake login pages.
Problem
Threat actors are increasingly using legitimate services for malicious activities including to obtain login credentials, Duo passcodes, and other personal information.
Threats
Threat actors may obtain login credentials, Duo passcodes, and other personal information.
Affected Systems
Duo and secure document services such as DocuSign, Google, Office365, or Adobe Creative Cloud.
Action Items
How to Protect Yourself
- If you receive a Duo prompt that only gives you the option to use a passcode, report it.
- If you receive a Duo push when you are not trying to log in, click “Deny” and report it as fraud in Duo.
- If you receive a suspicious message, such as an unexpected document through a document service, report it.
- Before entering your UMICH (Level-1) password on a web page, check the web address/URL. UMICH Single Sign On begins with https://weblogin.umich.edu/.
- See the phishing alerts below for more details about recognizing these types of scams.
Technical Details
Document Services: Threat actors send phishing email from services used at U-M like DocuSign, Google, Office365, or Adobe Creative Cloud to lure you to a document with a link to a fake login page.
Duo: The Duo service is leveraged in two different ways to trick people into providing login information and/or Duo passcodes.
- A threat actor uses a fake login page to capture a person’s login information. The fake login then leads to a fake Duo prompt, specifically asking for a passcode. If the person then enters a Duo passcode (or passcodes), they can be used, along with the stolen login information, to access accounts fraudulently.
- An unexpected Duo push is sent to a person when they are not trying to log in. In this situation, a threat actor has used their stolen login information to log in to their account and is attempting to use Duo to complete the multi-factor authentication. If the person clicks “Approve”, the threat actor will be able to access their account. Pushes may occur repeatedly and persistently, trying to get the person to approve -- capitalizing on multi-factor authorization fatigue.
Information for Users
If You Get Caught
If you gave personal information in response to a phishing email or on a suspicious webpage, your account may be compromised.
- Change your UMICH (Level-1) password and follow the instructions at What to Do if Your Account May Be Compromised.
- Carefully review any online account that became vulnerable as a result of responding to the scam.
Report Suspicious Email or Request
- Google at U-M users can forward phishing email to ReportPhish@umich.edu; include what Google calls the original message. Michigan Medicine Outlook/Exchange users can use a Report Phishing button. For details, see Report Phishing.
- Report other suspicious requests or prompts by sending a description of your experience to ReportPhish@umich.edu.