This month marks the one-year anniversary of the start of a series of phishing attacks aimed at stealing the paychecks of Duke faculty and staff. From November 2013 through March 2014, attackers sent three messages asking Duke employees to provide their usernames and passwords. Several employees' paychecks were diverted to bank accounts controlled by the attackers. Duke was not the only target. According to REN-ISAC, a national group that promotes cybersecurity in research and higher education:
"Universities and colleges have been targeted by spearphishing campaigns designed to steal user credentials for many years. Stolen credentials are used for many purposes, such as sending spam from compromised email accounts, optimizing search engine results for black market pharmaceutical web pages, gaining access to university-licensed resources, and hosting malware.
"For roughly the past year, many of these campaigns have used harvested credentials to alter a victim’s direct deposit information. Targeted individuals include both faculty and administrators from various departments. Several of the attacks appear to have specifically targeted individuals in university medical and dental programs. These emails often use subjects related to salary increases to lure victims into clicking on malicious links. Subject lines have included:
- Your Salary Review Documents
- Important Salary Notification
- Your Salary Raise Confirmation
- connection from unexpected IP
- RE: Mailbox has exceeded its storage limit."
As a result of these attacks, Duke implemented new security measures designed to protect our community from attackers attempting to steal credentials. The most important of these defenses, multi-factor authentication protects your access to Duke systems by requiring not just a password (something you know), but a second form of verification like a phone or hardware token (something you have).
The Duke community continues to receive fraudulent email messages that attempt to trick you into providing your username, password or other information. Just this week, more than 1,100 people received this message, directing recipients to a page that looks very much like Duke’s authentication page.
We encourage you to act with caution. Should you receive a questionable email, please forward it to firstname.lastname@example.org, and do not click on the link! We also encourage you to sign up for Duke’s multi-factor authentication service (https://oit.duke.edu/mfa) in order to protect your account.
Thank you for doing your part to keep your account and Duke safe!