Beware of fraudulent payroll notification emails

The information below was sent to the IT Security Community and Frontline Notify (FLN) groups via email on July 13, 2018.

We have seen a flurry of fraudulent emails at U-M with subject lines like this: Payroll Notification. The emails direct recipients to a fake Weblogin page designed to steal uniqnames and passwords. This is not a new scam, but it continues to trick some people into revealing their password.

We have taken the following actions, as we do with all phishing scams like this:

  • Reported the phishing site to the hosting Internet Service Provider (ISP).
  • Asked UMNet to block the malicious IP address on U-M networks.
  • Added the site to Google Safe Browsing.
  • Added information about the site to the U-M threat intelligence system. This system is used to automatically update firewall rules, malware filters, and more.
  • Worked with Michigan Medicine Exchange email administrators to automatically remove the phishing email from users' inboxes if it was unopened.
  • Sent emails to those we were able to identify as recipients and worked with them to change their passwords.
  • Posted a copy of the phishing email to Phishing Alerts on Safe Computing.

Please help us continue to help members of the university community protect themselves against phishing scams like this by sharing the information below with those in your unit.

Information to Share in Your Unit

Protect Yourself Against Phishing & Password Theft

Criminals use malicious phishing emails to trick you into revealing your passwords, which then gives them access to your accounts. Protect the university and yourself by learning to spot phishing attempts.

  • Turn on two-factor for Weblogin. If your password is stolen, two-factor stops the password thief from accessing your account. This is the single-most important thing you can do to protect your UMICH account.
  • Look carefully at all links in emails before clicking. If you aren't sure a link is legitimate and safe, don't click.
  • If the URL doesn't look right, don't click it! The URL in the Payroll Notification phishing email, for example, is clearly not a U-M web address.
  • Look before you log in. It is common for attackers to set up fake login sites. Always check the URL before providing your password.
  • Check the phishing alerts on Safe Computing. IA staff members post phishing and other malicious emails reported to them by members of the U-M community. Check to see if the email you received is posted there.
  • Hover over links in emails with your mouse to see the actual destination. Most email programs show the URL in the bottom left corner of the window when you hover over a link. Check whether the URL matches the link in message text. If the message claims to be about the university, look to see if the URL looks like other university URLs you are familiar with.
  • Double check. If you are suspicious of a link or attachment, don't click. Check with the sender by phone or in person to see if they actually sent the message.
  • If you think you have entered your password on a phishing site, change your password and report the attempt. See What to Do if Your Account May Be Compromised.
  • Learn more about fraudulent emails at Phishing & Suspicious Email. That page has links to examples of phishing emails, online training, and a video about spear phishing.

How Information Assurance Protects You

As U-M Information Assurance becomes aware of phishing attempts at U-M, staff members block access to the fake Weblogin sites from U-M networks, report the malicious sending addresses to Google so they can be blocked for U-M Google users, and take other actions to protect U-M systems and services.