Resources for... William & Mary
William & Mary W&M menu close William & Mary

Recent phishing attempts at W&M

Summary

W&M Information Security has been tracking and monitoring some recent phishing attempts impacting students, faculty and staff at the university.

Full Description

W&M Information Security is aware of recent sophisticated phishing attempts that have targeted students, faculty and staff at the university. It is critical that our community know how to identify a phish, and what to do once they have. 

Phishing scams may take the form of bogus emails that often appear entirely legitimate. While many variations have been reported, the bottom line is the same: these are not legitimate requests. 

The recent attacks have led individuals to a fake Duo screen that some have mistaken for the actual W&M Duo screen. If you were prompted by the fake Duo screen, your information has already been compromised, and the following steps should be taken immediately: 

  1. Change your password
  2. Forward the phishing email to [[abuse]].
Click image to view larger

This particular phishing attempt featured a fake Duo screen that at first glance looks legitimate, but when you look a little bit closer there are some glaring issues. For one, it asks you for a passcode from Duo Mobile and does not give the other authentication options like a push notification or a phone call. In addition, the URL is not one that you would ever see paired with a W&M service. These are red flags. 

For years, phishers have established credibility by creating email messages that use the same typeface and logos as legitimate organizations. 

Phishers are tricky, but there are ways to look for some warning signs:

  1. Avoid clicking on links within suspicious looking emails. Phishers have devised ways to mask webpages and URLs to look remarkably legitimate.
  2. Often phishing messages contain grammatical or typographical errors.
  3. Phishers tend not to personalize their emails since they don't usually know their recipients' identities and because they don't even know if the recipient has any affiliation to the organization they're trying to spoof.
  4. Prizes galore, but only in exchange for some of your personal or financial data. Hint: there is no prize.
  5. It's urgent! No, it's not. W&M IT is not going to do any upgrades or changes to your account without notifying you in advance first. Look for announcements in the W&M Digest and on the W&M IT homepage. 

If you've been a victim of a phishing scam, immediately change your password to any at-risk accounts. If it came to your W&M inbox, forward the phish to abuse@wm.edu.

If you have any questions, please reach out to [[ciso]].