News by Topic

Click on a topic below to see the latest headline

Customize "My Headlines" by Topic

Choose the topics of most interest to you to follow under "My Headlines".

Subscribe

Sign up for newsletters, news feeds, social media and other news sources.

Resources for News Media

Are you a reporter working on a story? Here's where you find help from Duke.

New IT Security Measures for Payroll Transactions

New IT Security Measures for Payroll Transactions

Duke's IT Security Office has taken steps to minimize future exposures

print |

Editor's Note: The following is a message sent Wednesday to Duke University and Duke University Health System staff and faculty by Tallman Trask III, executive vice president.

Durham, NC - During the last few months, several hundred of our faculty and staff have been targeted by sophisticated "phishing" attacks - fraudulent emails intended to fool readers into providing their network identification and password.

These attacks, often designed to look as if they came from Duke departments such as the Office of Information Technology or Human Resources - have been clever enough to convince several of our employees to provide the requested data. Using these credentials, attackers accessed the Duke@Work self-service website and changed the direct deposit bank account instructions for the paychecks deposited by Duke on behalf of those employees. As a result, the perpetrators of the scam effectively stole the payroll funds from the intended recipients. (Duke voluntarily replaced these funds; we cannot do so indefinitely).

Duke's IT Security Office has taken steps to minimize future exposures. The following security measures now pertain to all payroll transactions in the Duke@Work site:

1)  bank account numbers are no longer displayed;

2)  all direct deposit bank account changes require the user to enter the existing bank account number in order to execute a direct deposit bank account change;

3)  enrollment in direct deposit for new users requires the last four digits of the Social Security number;

4)  viewing the online W-2 information also requires entering the last four digits of the Social Security number.

We strongly recommend that you enroll in and use multi-factor authentication to further secure access to Duke@Work. The enrollment process has been recently streamlined to make the process more efficient for users. Visit the Multi-factor Authentication website to enroll.

If you choose not to use this security tool and submit your network identification and password as the result of a phishing attack, Duke cannot guarantee the replacement of any funds that may be lost as a result.

Duke is not alone in experiencing these phishing attacks; other universities have experienced similar intrusions. While none of Duke's information security systems have been directly "hacked" through these incidents, they offer an important reminder of our increasing (and worldwide) vulnerability.

Finally, and most importantly, we all need to be diligent in evaluating email and any other solicitation for your confidential data. Duke administrative service providers (OIT, Financial Services, Human Resources) will never request your network password or other authentication information by email or telephone. If you do receive a suspicious email or other message requesting your confidential information, please immediately contact your local network administrator and OIT at security@duke.edu.

We encourage Duke faculty, staff and students to share ideas, collaborate and discuss issues on Duke Today. To post a comment, you must log-in with your Duke NetID and password. Any comments or materials that are inappropriate, disrespectful or violate Duke policies will be deleted. These may include statements or materials that:

  • promote commercial enterprises;
  • sell, or solicit offers to sell, goods or services for personal gain;
  • promote a political candidate or political party; or
  • violate policies regarding personal, proprietary or protected health information.

For more information, visit our guidelines for posting content.

Comments

You are not logged in. Please log in to leave a comment. Comments are restricted to faculty, staff, and students.

© 2014 Office of Communication Services
705 Broad Street, Box 90496, Durham, NC 27708
(919) 681-4533; FAX: (919) 681-7926

Submit A Story Idea

We value your suggestions and feedback. Got an idea for a story, video or photo you would like to see in Duke Today?

Submit a Story Idea