Multi-factor Authentication Scams

What is a Multi-factor Authentication Scam?

A threat actor uses a legitimate multi-factor authentication (MFA) service, such as Duo, to trick people into giving access to their account by getting them to provide an MFA approval. Typically, this occurs after the threat actor has already stolen their login credentials.

How it Works

The Duo service may be used in a couple ways to trick people into approving access to their accounts:

  • U-M branded Google form asking for login credentials and Duo pass code used by scammers.A threat actor sends an email with a link to an online form (e.g. Google form). The email and form may impersonate a real U-M department. The form may request:
    • login information and/or a Duo passcode, or
    • the recipient’s phone number, which is used to send a text impersonating a trusted source, such as the ITS Service Center, instructing them to approve a push notification they are about to receive and enter a 3-digit verification code they provide.
  • An unexpected Duo notification is sent to a person when they are not trying to log in. In this situation, a threat actor has used their stolen login information to attempt to log in to their account and is trying to use Duo to complete the multi-factor authentication step. The Duo 3-digit verification code step implemented in fall 2024 provides an additional level of security which is intended to reduce the likelihood of this type of scam, but it is important to remain vigilant.

What to Watch Out For

Pay close attention whenever you are asked to provide a Duo passcode or are prompted to approve a Duo push notification. Look for red flags, such as:

  • You receive a Duo notification though you have not tried to log in, particularly repeated Duo notifications.
  • You are asked to provide a Duo passcode in any online form other than the official Duo prompt screen.
  • The location displayed on the Duo Approval screen is not in the region of your Internet Service Provider; such as in another country. This may be a clue that someone else is trying to login to your account from the location displayed.

How to Protect You and U-M

  • Do not approve unexpected Duo push notifications and do not enter Duo passcodes into forms other than the official U-M Duo prompt.
  • Report Phishing & Email Abuse.

If You Get Caught

If you shared your login information under suspicious circumstances, such as via a Google form, your account has been compromised. Even if you don’t remember providing your login credentials, an unexpected Duo notification typically indicates that your password has been stolen.

  • Change your UMICH password immediately and follow the instructions at What to Do if Your Account is Compromised
  • Carefully review the activity on any account that became vulnerable as a result of responding to the scam.

Scam Examples

Example 1

A link in email sends you to a fake Weblogin screen followed by U-M branded screen asking for Duo Passcode.

Fake Weblogin page with incorrect url circled. Should be weblogin.umich.edu.

Page impersonating a U-M department and asking for a Duo passcode, but it's not the official Duo prompt.

Example 2

U-M Branded page instructing you to approve a fraudulent Duo notification, purportedly from U-M Careers.

Page made to look like a U-M careers page instructing you to approve a fraudulent Duo push notification.