Skip to main content

Phishing attacks continue after new security measures implemented

Faculty, staff encouraged to enroll in multi-factor authentication service

Less than a day after Duke implemented new security features in response to recent "phishing" attacks, another fraudulent email targeted the Duke community attempting to steal credentials to access payroll information.

The email -- with the subject line, "Your Salary Raise Details" -- told recipients they were qualified for a salary increase on their next paycheck and directed them to a Russian domain that had cloned Duke's log-in page (but removed the warning line, "You are on the correct Duke sign-in page if the URL above begins with https://shib.oit.duke.edu/.") Supplying credentials to that page then redirected users to a fraudulent version of the Microsoft Office Web Access page and then to www.duke.edu. More than 650 Duke users received the email, and five clicked on the link.

Read More

The email was similar to three other recent attacks, which were clever enough to convince at least 10 employees to provide usernames and passwords. Attackers used those credentials to access the Duke@Work website and change the direct deposit bank account instructions for their Duke paychecks.

"These attackers are increasingly sophisticated, and their persistence provides an important reminder that faculty and staff members must remain vigilant in evaluating all emails and other solicitations for confidential data," said Richard Biever, the university’s chief information security officer.

The email came less than 24 hours after new security features were implemented in the Duke@Work self-service website designed to prevent unauthorized access to payroll-related data.

The following security measures now are required for all payroll transactions on the Duke@Work site:

  • Bank account numbers are no longer displayed without a second layer of authorization.
  • All direct deposit bank account changes initiated through the site require the initiator to enter the complete existing bank account number in order to execute a direct deposit bank account change.
  • Enrollment in direct deposit for new users requires use of the last four digits of the Social Security number.
  • Viewing the online W-2 information also requires entering the last four digits of the user's Social Security number. 

In addition, Duke recommends that all faculty and staff enroll in and use multi-factor authentication to further secure access to Duke@Work. The enrollment process has been recently streamlined to make the process more efficient for users. Visit the Office of Information Technology (OIT) website for more information and to enroll. More than 3,700 Duke faculty and staff have enrolled to date.

Several other universities have experienced similar phishing attacks. In response, the Duke University and Medicine security offices are implementing new procedures to identify potential compromised NetIDs so the accounts can be protected quickly. None of Duke's information security systems have been directly hacked through these incidents, Biever said.

"Duke will never request your NetID password or other authentication information by email or phone," Biever said.

If you do receive a suspicious email or other message requesting confidential information, immediately contact your local network administrator and OIT at https://oit.duke.edu/help/. For more information about phishing scams, visit the Duke IT Security Office website.