Over the past week, UMD has seen a rapid increase in the number of spear phishing attacks directed at UMD employees. In a spear phishing attack, a forged email is commonly sent to members of the UMD community, and the goal is to get people to click on an email attachment. The forged email shows the name of a trusted member of the UMD community such as your department chair or business officer.

In the recent attack campaign, the email contains a PDF attachment that, once opened, leads the recipient to a page that requests their username and password. If the username and password are entered, they receive a fraudulent request from the DUO multi-factor authentication (MFA) system. Should they click “Approve” to this fraudulent MFA attempt, the attacker then has access to all of their UMD accounts and services. This puts both the individual’s and the university’s data at risk.

Unfortunately, in the past week multiple members of the UMD community have clicked “Approve” on the fraudulent DUO request and had their accounts compromised.

To prevent this type of attack, here are a few important cybersecurity steps to follow:

  1. Carefully check the email address in the “from” field of all emails sent to you, not just the name on email messages. If the email address is not @umd.edu (i.e., it is @gmail.com), do not open any attachments and delete the email even if the name of the person and the account name matches a UMD colleague. To see the actual sending email address when using the Google web email client, you need to hover your cursor over the name of the person who sent the email. When using your phone, tap (tap twice on iPhone) on the sender’s name to see their email address.

  2. Double check anything that asks for your UMD username and password; generally it should only be the UMD Central Authentication Service (CAS) login screen. Never enter your password in anything that looks like a Google Form.

  3. Be careful when opening email attachments. PDF files can be just as dangerous as any other file type.

  4. Pause and think before clicking “Approve” on a DUO request. Only approve the request if you are currently trying to log into a UMD computer system.

  5. To the extent possible, please use the DUO app on your mobile device rather than DUO phone calls or Apple watches. The DUO app shows the city and state you are attempting to log in from. It should match, or be nearby to, your current physical location. If it shows a location far away from where you are, click “Deny” on the request.

Should you open a dubious email attachment, supply your password to a non-UMD source, or click “Approve” to a DUO request that you realize was not from you, please immediately contact the Division of IT’s Security Operations Center at soc@umd.edu.