Be aware of sophisticated phishing attacks that target Duo two-factor authentication

This message is intended for U-M IT staff who help support faculty, staff, and students.

Help spread awareness of recent phishing attempts that use live interaction to target Duo two-factor authentication.

In these phishing emails, threat actors actively monitor the recipient behind-the-scenes in real time to acquire the Duo Push verification code as it is entered into a fake Duo prompt.

Additional aspects that add sophistication to these scams are that the threat actors:

• Use relevant topics and wording to appear legitimate, such as notices of COVID-19 contact or Duo security updates.
• Attempt to get users to log in to a fake U-M Weblogin screen, followed by a prompt to authenticate on a fake Duo screen.
• May use fake U-M login pages that have “weblogin.umich.edu” within a longer URL.
• Make the email appear legitimate by using graphics, branding, and layouts that closely resemble legitimate U-M communications.
• Send the phishing emails from compromised accounts from educational institutions.

Please share this information with your unit staff, student advisors, and faculty.

• Users who fall victim to these phishing attempts may have their accounts compromised, which could be used to perpetuate the scam with emails to more people or other organizations.
• These phishing scams typically focus on financial fraud, such as redirection of a person’s direct deposit payments.
• Threat actors often use the compromised access to change a user’s email filters to delay or hide detection of malicious activity, such as changes to direct deposit accounts.

Phishing Email Example

Subject: ACTION REQUIRED: - Mandatory Duo Security Update Update Duo Before May 25 Deadline

From: U-M Information and Technology <[redacted]@umich.edu>

You received this email because you’ve been identified as someone who has outdated DUO Settings Action Required: Update Duo settings by May 25
Greetings,

In response to a recent phishing incident, we are strengthening our authentication protocols to safeguard your account and university data. Our records show that your Duo two-factor authentication (2FA) settings have not yet been updated to meet these enhanced security requirements. This upgrade is mandatory..

To ensure uninterrupted access to your account, please complete the update by May 25, 2025. Failure to act will result in the deactivation of your Duo authentication, requiring an in-person visit to our office for reactivation.

How to Update Your Settings:
Click here: Update Duo Settings [hyperlink that leads to fake login screen]

Log in with your University of Michigan credentials.

Complete Duo Push authentication and wait for the confirmation screen.

Do not exit the page manually—it will close automatically once the update is complete.

Security Reminder: This link is unique to your account. Do not share it with anyone.

Duo for iOS devices
Duo for Android devices
Thank you for your patience and commitment to keeping our systems and data secure.

How can we help you?
Contact the ITS Service Center:

Chat: chatsupport.it.umich.edu
Call: 734-764-HELP (764-4357)

Phishing Site Screenshots

If You Fall for the Scam

• Change your UMICH password immediately and follow the instructions at What to Do if Your Account is Compromised.
• Check your email filters to make sure email notifications are coming to your inbox.
• Use Google Security Checkup to check logged in devices and log out of any that you don't recognize. Check for apps added the same day as your account was compromised and de-permit them, even if you recognize them.
• Individuals who have fallen victim to one of these scams, which resulted in loss of money, should contact the University of Michigan Police Department at 734-763-1131 or text 377911.
• Forward any email communication with the scammer to [email protected].