Employees’ Direct Deposit Rerouted After Phishing Attack

Link to fake website included in phishing email message.
Link to fake website included in phishing email message.

Duke officials are urging employees to be on alert for phishing email messages after four employees had their direct deposits for December rerouted to an unauthorized account following a phishing attack. 

A fifth employee received a notification from a bank when the routing number was incorrectly entered by an unauthorized user, thus alerting the employee and preventing the transaction.

According to Duke's IT Security Office, the scam originated in November from a phishing message that appeared to be from "Duke IT Alert." It was sent to about 380 Duke users and instructed recipients to "confirm your login details" and directed them to a fake website that appeared similar to the standard NetID login page. 

Richard Biever, Duke University's chief information security officer, said that phishing email messages that attempt to trick users into providing account information and passwords are increasingly common. "We typically receive one to five of these each week," he said.

"We want to remind everyone that Duke will never ask for your password or information about your account via email," Biever said. "While none of Duke's information security systems have been compromised through this incident, this situation is an important reminder that our end users are the front line for security."

Duke officials are working directly with the impacted individuals and external agencies to investigate the situation further.

Anyone who believes that they supplied information on a website after clicking on links in a suspicious email message please contact their local IT support or Duke's IT security offices immediately: Duke University IT Security Office at security@duke.edu or Duke Medicine Information Security Office at infosec@mc.duke.edu.

In the wake of the phishing scam, Duke's IT Security Office is reminding faculty, staff and students of the following guidelines to protect against online attacks:

  • Remember that Duke will NEVER ask for your password or information about your account via email.
  • Do NOT click any links in suspicious messages.   
  • Contact your local IT support or Duke’s IT security offices immediately if you feel your account has been compromised.

Biever said that Duke also launched additional security measures last fall through a two-step verification service, which is available to all Duke users.

As phishing schemes and password breaches become increasingly common, Duke's IT Security Office recommends that all Duke users enroll in multi-factor authentication.

Google and Twitter have implemented similar systems, which are designed to prevent hackers from gaining access to an account far more effectively than a password alone.

When logging in, a user is required to enter both a password and a randomly generated code. The codes can be generated by a special device or token or can be sent via a text message or a smartphone application.

Duke's Office of Information Technology requires that system, network and application administrators who have higher-level access to systems use multi-factor authentication.

The service currently is optional for other Duke users. Any Duke faculty, staff or student can set up multi-factor authentication for their NetID and can select which of about 1,100 Duke-managed applications or websites, including the Duke@Work self-service site, will use it. Register online.