Multi-factor Authentication Scams

What is a Multi-factor Authentication Scam?

A threat actor uses a legitimate multi-factor authentication (MFA) service to trick people into giving access to their account by getting them to provide an MFA approval. Typically, this occurs after the threat actor has already stolen their login credentials.

How it Works

A threat actor tricks a person into approving multi-factor authentication in order to gain access to their accounts. This can occur in multiple ways:

  • U-M branded Google form asking for login credentials and Duo pass code used by scammers.A threat actor sends an email with a link to an online form (e.g. Google form). The email and form may impersonate a real U-M department. The form may request:
    • login information and/or a multi-factor passcode, or
    • the recipient’s phone number, which is used to send a text impersonating a trusted source, such as the ITS Service Center, instructing them to approve a push notification they are about to receive.
  • An unexpected multi-factor push notification is sent to a person when they are not trying to log in. In this situation, a threat actor has used their stolen login information to attempt to log in to their account and is trying to complete the multi-factor authentication step.
  • A threat actor may impersonate U-M's multi-factor authentication service in text messages in order to induce a person to provide a passcode.

What to Watch Out For

Pay close attention whenever you are asked to provide a multi-factor passcode or are prompted to approve a multi-factor push notification. Look for red flags, such as:

  • You receive a notification though you have not tried to log in, particularly repeated notifications.
  • You are asked to provide a passcode in any online form other than the official prompt screen.
  • The location displayed on the screen is not in the region of your Internet Service Provider; such as in another country. This may be a clue that someone else is trying to login to your account from the location displayed.

How to Protect You and U-M

  • Do not approve unexpected push notifications and do not enter passcodes into forms other than the official prompt.
  • Do not provide a passcode in response to a text message.
  • Report Phishing & Email Abuse.

If You Get Caught

If you shared your login information under suspicious circumstances, such as via a Google form, your account has been compromised. Even if you don’t remember providing your login credentials, an unexpected notification typically indicates that your password has been stolen.

  • Change your UMICH password immediately and follow the instructions at What to Do if Your Account is Compromised.
  • Carefully review the activity on any account that became vulnerable as a result of responding to the scam.

Scam Examples

Example 1

A link in email sends you to a fake Weblogin screen followed by U-M branded screen asking for a multi-factor authentication passcode.

Fake Weblogin page with incorrect url circled. Should be weblogin.umich.edu.

Page impersonating a U-M department and asking for a Duo passcode, but it's not the official Duo prompt.

Example 2

U-M Branded page instructing you to approve a fraudulent multi-factor authentication notification, purportedly from U-M Careers.

Page made to look like a U-M careers page instructing you to approve a fraudulent Duo push notification.

Example 3

A threat actor impersonating U-M's multi-factor authentication service in text messages in order to induce a person to provide passcodes.

Text messages impersonating Duo, trying to steal Duo passcodes.