Skip to main content

Additional Security Measures Added as a Result of Phishing Scams

Multi-factor authentication required for users who fall victim to phishing scams

TO:  Vice Presidents, Vice Provosts, Deans, Directors, Department Heads, and Managers

FROM:  Tallman Trask, Executive Vice President

RE:  Additional Security Measures Regarding Phishing Scams

In an effort to further ensure security of Duke and personal data, any faculty or staff member whose network identification and password are compromised due to a phishing scam will be required to enroll in Duke’s multi-factor authentication service after their account is restored.  Enrollment will remain voluntary (but strongly recommended) for individuals whose accounts have not been compromised.

In the last few months, hundreds of Duke faculty and staff have been repeatedly targeted by phishing scams, fraudulent emails intended to fool readers into providing their Duke NetID and password. These attacks often were designed to look as if they came from Duke departments such as the Office of Information Technology or Human Resources. The most recent attack targeted several hundred Duke users, mostly faculty.  The attack asked faculty and staff to provide their NetID, password and bank account information to “confirm” a 2.5% salary increase.

In response to these attacks, Duke's IT Security Office, Office of Information Technology and Financial Services earlier this year implemented additional security features to minimize future exposures, but everyone at Duke must take individual action to protect personal data.

Duke strongly recommends that you enroll in and use multi-factor authentication to further secure access to Duke@Work. Also known as two-step verification, multi-factor authentication requires a user to log in using both a password and a randomly generated code. The codes can be generated by a special device or token or can be sent by text message or smartphone application.

If you choose not to use this security tool and submit your network identification and password as the result of a phishing attack, Duke cannot guarantee the replacement of any funds that may be lost as a result.  

A compromised account not only puts your personal data at risk but also any sensitive data you have access to (such as patient data, student data, and protected research data). For these reasons, we will continue to monitor phishing attacks and associated account compromises and may at some point in the future require two-factor authentication for all users.  We all need to be diligent in evaluating email and any other solicitation for confidential data. Duke administrative service providers (OIT,  DHTS, Financial Services, Human Resources) will never request your password or financial account information by email or telephone. If you do receive a suspicious email or other message requesting your confidential information, please immediately contact your local IT support administrator or the Duke IT Security Office.

For more information about phishing, recent scams, and safety guidelines, visit the Duke IT Security Office website.