Protect Yourself Against a Two-Factor Phishing Attempt
Repeated Duo Attempts and Prompts
Beware of unexpected Duo Multi-Factor Authentication (MFA) prompts. Ignore them unless you’re sure you requested them. If you are unexpectedly prompted to use Duo in a way you’re unfamiliar with, ignore it and contact Technology Services Security. For example, if you usually use your smartphone’s Duo app, but you instead get a Duo automated phone call or are prompted to enter a passcode, ignore it.
Be Wary of Repeated Login Attempts or Prompts
Criminals try to get through your defenses by chipping away at your patience. Called “MFA fatigue”, they start by stealing your NetID and password, then trying to log into your account over and over again. You get so many authentication requests on your phone that you might accidentally hit "accept" instead of "deny".
The best way to stop this "MFA push spam" is to change your NetID password on the compromised account. Once you change your password, the attacker can no longer send you the authentication request. Contact Technology Services Security if this happens to you.
Look Out for Well-Done Fake Login Pages
Criminals may also trick you into giving them a legitimate MFA verification code by making you believe you're using a legitimate Illinois site. They send you an email that has a link going to a fake illinois.edu login page. Even though the page looks like a legitimate site, the URL is the clue that something's not right. For links that take you to a login page, triple-check the URL in your browser bar or navigate to the page on your own.
This fake login page tries to trick you as the URL is phishingwebsite.com. Although it might not be this obvious, some other tricks criminals use is to add “illinois.edu” to the end such as “phishingwebsite.com/illinois.edu”.
Once you enter your NetID and password on a fake page, you'll be asked to complete the two-factor authentication step. Normally Duo will use the method you used most recently, or the method you have chosen from the Other Options list of methods.
A phishing site will offer you ONLY the Enter a Passcode option and will display an address from an unrecognized website domain, circled in the image below.
The Duo Universal Prompt will only appear on the duosecurity.com/ web domain.
Graphically, everything looks legitimate, so you go to your phone, get the Duo passcode, enter it into the website, and click "Verify”.
You’ve now been phished.
The criminal has:
- Your NetID
- Your password
- A legitimate Duo code that they can use to log in to your account
The strength of two-factor authentication lies in what you know (your login credentials) and what you have (your phone). If a website tries to bypass one or the other, then do not continue and contact Technology Services Security.
If you think your credentials have been compromised, Contact Technology Services Security right away. Criminals keep trying different ways to steal data and Technology Services Security would rather see an old phish than miss a new one.
You’ll notice that this kind of attack originates with the link to the fake Illinois login page. That’s why it’s so important to make sure the link you click is a valid Illinois link with the illinois.edu or uillinois.edu domain. .
Always Report Suspicious Email
If you receive a suspicious email with login prompts or asking for other personal information, report the message using methods found here.
Options include:
- Using the built-in Proofpoint for Outlook Add-in
- Forwarding the suspicious email as an attachment to Technology Services Security
Other
To share feedback about this page or request support, reach out to the Technology Services Help Desk
More info on how to spot fraudulent emails here.