Main Navigation

Multi-step phishing attack aims to collect login credentials and personal info

The U’s Information Security Office (ISO) warns students, faculty, and staff about an ongoing, sophisticated, multi-step phishing attack that aims to collect users’ credentials and personal information, potentially to get unauthorized access to university and personal accounts.

The ISO is acting proactively to safeguard university accounts and resources, and has directly contacted known recipients with instructions and help resources.

The phishing attack strategy

  • The attacker sends one or more phishing emails with links to sites that impersonate university webpages to gather usernames and passwords. These messages can take many forms, but most have been fake job offers. Please visit the ISO’s Phish Tank to review recent phishing attacks (login required) so you know what to expect.
  • The attacker later sends one or more phishing emails to gather personal information via a Google form. The form asks for name, phone number, alternative (personal) email address, school email address, current occupation, citizenship status, and home address. The most recent phishing message reads: “This is the last time we will notify you that we’ll stop processing incoming emails in your school account, and the reason is you failed to verify your Microsoft account which may lead to the permanent deletion of your account from our database in the next few hours. Kindly take a minute to complete our email verification below. fill the form below.”

Screenshot of the Google phishing form:

Screenshot of the Google form that the attacker uses to collect personal information, including name, phone number, alternative (personal) email address, school email address, current occupation, citizenship status, and home address of phished U students, faculty, and staff. The questions are in white boxes on a pink background.

  • Using the username and password collected in Step 1 and the phone number provided in Step 2, the attacker sends an SMS or text phishing message asking the user a series of questions to ultimately get them to accept a Duo two-factor authentication (2FA) push notification. This allows the attacker to access the user’s university account — and personal account(s) if they use the same password. With access to a personal account, criminals can steal the user’s identity, take over their bank account, etc.

Screenshot of the phishing text messages:

Text messages from October 1, 2024. The messages, which are a phishing attack, ask the recipient if they want to deactivate their U of U email account. When the recipient responds “No,” the spammer, who already has the user’s credentials from an earlier phishing attack, sends them a Duo push notification to approve, gaining full access to their U account.

What to do 

  • If you received a phishing email, please delete it.
  • If you received a phishing text message, please call your designated central IT help desk to report it:
    • Main campus, 801-581-4000
    • University of Utah Health, 801-587-6000
  • If you provided any personal information to the scammer:
    • Please log in to CIS, immediately reset your university password, and call your IT help desk to open a “high” urgency ticket with the ISO.
    • Reset the password for your personal email accounts and for any personal accounts that reuse your university password and/or personal email account password.
    • Be on the lookout for, block, and report to your IT help desk any text messages claiming to be from the university or an affiliate that ask you to approve a Duo 2FA push notification.
  • If you have any questions, please contact your IT help desk.

Resources