Last Thursday, the Duke community was hit by the largest email phishing attack it has seen since 2020, according to the Duke Office of Information Technology.
The fraudulent messages notified students of a “Warning” or “Urgent Warning” related to their Duke account or offered them false UNICEF jobs or remote work, per a recent OIT notice.
“This is probably the largest phishing attack that we've seen, or the most impactful phishing attack that we've seen, since about 2020,” said Richard Biever, chief information security officer for Duke OIT.
“Unfortunately, some have provided the information, allowing the attacker to contact thousands more in the Duke system,” the notice read.
Biever declined to provide the number of emails involved in this phishing attack, citing concerns that another scammer would see the number and try to conduct another attack.
He said that more generally, OIT’s anti-phishing system blocked 65 million fraudulent messages last month, accounting for 62% of all incoming mail in the Duke community.
“People continue to do phishing because it works and because it doesn't require a lot of effort to do,” Biever said. Scammers can send out thousands of emails at once, and people continue to click.
Last week’s attack was carried out in two phases. In the first phase, the perpetrators sent false alerts from non-Duke email addresses that warned recipients that they were about to lose access to their Duke accounts. Alarmed recipients then followed a link and input their passwords and codes.
In the second phase of the attack, the perpetrators used these stolen passwords and codes to send out waves of fraudulent messages from Duke email addresses. These messages claimed to offer employment and were designed to steal recipients’ financial information and involve them in larger-scale scams.
These types of scams can be thought of as “crowd-sourced money laundering,” according to Biever. When a student gives up financial information to these scams, it becomes possible that “the student is going to be held responsible for money that passes through their account.”
Email phishing and fraudulent messages are not new to the Duke community.
In 2018, a phishing attack targeted 233 people at Duke, The Chronicle reported. Since then, the community has experienced several more attacks, with the largest coming in 2020, according to Biever. In the 2020 attack, a third-party homework-help website called Chegg’s system was compromised. Many Duke students who owned Chegg accounts reused their Duke passwords, compromising their university accounts.
These types of scams are also happening at other universities, with the University of Pittsburgh and the University of Wisconsin-Madison reporting similar issues.
How to protect yourself from future phishing attacks
There are several ways that students can protect themselves from these types of attacks. Students should be suspicious of any email that asks for a password, security codes, security questions, Multi-Factor Authentication (MFA) codes, a home address, a cell phone number or bank account information.
Suspect messages can be reported to the Duke OIT Security Team using the report a phish button. Students can sign up for the account security challenge, including signing up to receive regular phishing simulation messages to test their skills. Biever also recommends setting up Duke Unlock using Face ID or Touch ID and moving away from using SMS codes for Duo MFA and using Duo Push instead.
According to Biever, both the main campus and Duke University Health System security teams “did an absolutely fantastic job responding to this. It could have been so much worse.”
“I hate that it takes something like this, but at the end of the day, it makes our community much smarter, much stronger, and we get better,” Biever said.
Get The Chronicle straight to your inbox
Signup for our weekly newsletter. Cancel at any time.
Holly Keegan is a Trinity sophomore and a university news editor of The Chronicle's 119th volume.