New IT Security Measures for Payroll Transactions

During the last few months, several hundred of our faculty and staff have been targeted by sophisticated "phishing" attacks - fraudulent emails intended to fool readers into providing their network identification and password.

These attacks, often designed to look as if they came from Duke departments such as the Office of Information Technology or Human Resources - have been clever enough to convince several of our employees to provide the requested data. Using these credentials, attackers accessed the Duke@Work self-service website and changed the direct deposit bank account instructions for the paychecks deposited by Duke on behalf of those employees. As a result, the perpetrators of the scam effectively stole the payroll funds from the intended recipients. (Duke voluntarily replaced these funds; we cannot do so indefinitely).

Duke's IT Security Office has taken steps to minimize future exposures. The following security measures now pertain to all payroll transactions in the Duke@Work site:

1)  bank account numbers are no longer displayed;

2)  all direct deposit bank account changes require the user to enter the existing bank account number in order to execute a direct deposit bank account change;

3)  enrollment in direct deposit for new users requires the last four digits of the Social Security number;

4)  viewing the online W-2 information also requires entering the last four digits of the Social Security number.

We strongly recommend that you enroll in and use multi-factor authentication to further secure access to Duke@Work. The enrollment process has been recently streamlined to make the process more efficient for users. Visit the Multi-factor Authentication website to enroll.

If you choose not to use this security tool and submit your network identification and password as the result of a phishing attack, Duke cannot guarantee the replacement of any funds that may be lost as a result.

Duke is not alone in experiencing these phishing attacks; other universities have experienced similar intrusions. While none of Duke's information security systems have been directly "hacked" through these incidents, they offer an important reminder of our increasing (and worldwide) vulnerability.

Finally, and most importantly, we all need to be diligent in evaluating email and any other solicitation for your confidential data. Duke administrative service providers (OIT, Financial Services, Human Resources) will never request your network password or other authentication information by email or telephone. If you do receive a suspicious email or other message requesting your confidential information, please immediately contact your local network administrator and OIT at security@duke.edu.