The Duke community experienced the most significant email phishing attack since 2020 last Thursday, as reported by the Duke Office of Information Technology. The deceptive messages either warned students of a “Warning” or “Urgent Warning” regarding their Duke account, or offered fake UNICEF jobs or remote work opportunities, according to a recent OIT notification.
Richard Biever, the chief information security officer for Duke OIT, stated, “This is likely the most impactful phishing attack we have encountered since around 2020.”
Unfortunately, some individuals provided their information, enabling the attacker to reach out to thousands more within the Duke system, as mentioned in the notice.
Biever chose not to disclose the exact number of emails involved in this phishing attack due to concerns that it could potentially lead to another scammer attempting another attack.
He further mentioned that OIT’s anti-phishing system successfully blocked 65 million fraudulent messages last month, which accounted for 62% of all incoming mail in the Duke community.
Biever emphasized, “Phishing continues to be prevalent because it is effective and does not require significant effort.” Scammers can easily send out thousands of emails at once, and individuals still fall victim to clicking on malicious links.
The attack from last week was executed in two phases. Initially, the perpetrators sent false alerts from non-Duke email addresses, warning recipients about potential loss of access to their Duke accounts. Concerned recipients then followed a provided link and entered their passwords and codes.
During the second phase of the assault, the culprits utilized the stolen passwords and codes to dispatch a series of deceitful messages from Duke email addresses. These messages purported to offer job opportunities and were crafted to extract financial details from the recipients, implicating them in more extensive scams.
These fraudulent activities can be likened to “crowd-sourced money laundering,” as per Biever. If a student falls victim to these scams by disclosing financial information, there is a risk that “the student may be held accountable for funds passing through their account.”
Instances of email phishing and deceptive messages are not uncommon within the Duke community.
In 2018, The Chronicle documented a phishing incident that targeted 233 individuals at Duke. Subsequently, the community encountered numerous additional attacks, with the most significant occurring in 2020, according to Biever. During the 2020 breach, a third-party academic assistance platform known as Chegg had its system compromised. Many Duke students who possessed Chegg accounts had reused their Duke passwords, thereby jeopardizing their university accounts.
Similar fraudulent schemes are also being observed at other academic institutions, with the University of Pittsburgh and the University of Wisconsin-Madison reporting comparable challenges.
How to protect yourself from future phishing attacks
There exist various methods for students to safeguard themselves against such attacks. Students must exercise caution with any email requesting passwords, security codes, security questions, Multi-Factor Authentication (MFA) codes, home addresses, cell phone numbers, or bank account details.
Any suspicious messages can be reported to the Duke OIT Security Team by utilizing the report a phish button. Students have the option to participate in the account security challenge, which involves enrolling to receive regular phishing simulation messages to assess their abilities. Biever also suggests configuring Duke Unlock with Face ID or Touch ID and transitioning from SMS codes for Duo MFA to using Duo Push instead.
As per Biever, both the main campus and Duke University Health System security teams responded exceptionally well to the situation. “It could have been much worse,” he stated. “I regret that it takes an incident like this, but ultimately, it enhances our community’s intelligence, strength, and overall improvement,” Biever remarked.
Leave a Reply
You must be logged in to post a comment.