Unexpected Duo Attempts and Prompts

Beware of unexpected Duo Multi-Factor Authentication (MFA) prompts. Ignore them unless youre sure you requested them. If you are unexpectedly prompted to use Duo in a way youre unfamiliar with, ignore it and contact security@illinois.edu. For example, if you usually use your smartphones Duo app, but you instead get a Duo automated phone call or are prompted to enter a passcode, this could be a indication of a two-factor phishing attempt.

Be Wary of Repeated Login Attempts or Prompts

Criminals try to get through your defenses by chipping away at your patience. Called an MFA fatigue attack, they start by stealing your NetID and password. Then they repeatedly log into your account over and over again which generates so many MFA authentication requests on your phone, they are hoping you might accidentally hit "accept" instead of "deny" or that you might accept one of the requests hoping that will stop the barrage of notifications.

The best way to stop this attack is to change your NetID password. Once you change your password, the attacker can no longer send you the authentication requests. Contact security@illinois.edu if this happens to you.

Look Out for Well-Done Fake Login Pages

Criminals may also attempt to trick you into giving them a legitimate MFA verification code by making their phishing website look like a legitimate university website. They send you an email that has a link going to a fake illinois.edu login page. Even though the page looks like the legitimate site, the URL is a clue that something's not right. For links that take you to a login page, triple-check the URL in your browser bar or navigate to the page on your own.

For example, this fake login page look legitimate but notice the domain in the URL is phishingwebsite.com. Although most phishing sites might not be this obvious, another tricks criminals use is to add illinois.edu to the end of the the URL, such as phishingwebsite.com/illinois.edu.

Once a NetID and password are entered on a fake logon page, a fraudulent two-factor authentication step would be presented.

On a legitimate login page, Duo will typically use the method you used most recently, or the method you have chosen from the Other Options list of methods. A phishing site will offer you ONLY the Enter a Passcode option and will display an address from an unrecognized website domain, circled in the image below. The real Duo Universal Prompt will only appear on the duosecurity.com web domain.

In a typical phishing attack, since the Duo prompt may appear legitimate, a user might go to their phone, retrieve a Duo passcode, enter it into the malicious website, and click Verify, unknowingly handing an MFA passcode to an attacker.

The attacker would now have:

• Your NetID
• Your password
• A legitimate Duo code that they can use to log in to your account

The strength of two-factor authentication lies in what you know (your login credentials) and what you have (your phone). If a website tries to bypass one or the other, then do not continue and contact security@illinois.edu.

If you think your credentials have been compromised, contact security@illinois.edu right away. Criminals keep trying different ways to steal data and Technology Services Security would rather see an old phish than miss a new one.

This kind of attack originates with the link to the fake Illinois login page. Thats why its so important to make sure the link you click is a valid Illinois link with the illinois.edu or uillinois.edu domain.

Always Report Suspicious Email

If you receive a suspicious email with login prompts or asking for other personal information, several reporting methods are available.

Options include:

1. Using the built-in Proofpoint for Outlook Add-in
2. Forwarding the suspicious email as an attachment to security@illinois.edu

Support

Further guidance on spotting fraudulent emails can be found at Security, How to identify phishing attempts and similar scams