NOTICE: Beware of increased phishing and fake login sites

Wednesday, October 26, 2016

The information below was sent to the IT Security Community and Frontline Notify groups at U-M on October 26, 2016.

Over the past few weeks we have seen yet another uptick in the number of phishing emails sent to U-M accounts. Many of these emails direct recipients to fake U-M Weblogin or U-M Health System login pages. If people provide their password on these fake sites, their accounts are compromised. We have also seen a handful of cases where the compromised U-M accounts may have been used to view information in Wolverine Access.

Now that two-factor for Weblogin is available, we are encouraging people to turn this on to better protect their personal information in Wolverine Access and more. Would you please share the information below with people in your units?

Protect Yourself from Phishing

Phishing emails are scams designed to steal your password and gain access to your account. If criminals compromise your U-M account, they can change your direct deposit information and view your W-2 in Wolverine Access, send email in your name, and more. Follow these tips to protect yourself:

  • Turn on two-factor for Weblogin. This extra layer of security stops criminals from using a stolen password to compromise your account.
  • Check the address or URL on login screens before entering your password. On the U-M Weblogin page, check that the URL begins with https://weblogin.umich.edu/ before entering your UMICH (Level-1) password. Also see Look Before You Log In.

    Image showing that the URL on the real Weblogin page sharts with https://weblogin.umich.edu/

  • Check links in emails before clicking them. Hover over the link with your mouse to reveal the URL. On a touch-screen device, you can usually touch and hold down the link to reveal the full URL.
  • Check before opening shared documents and email attachments. If the message seems at all suspicious, don't open the document or attachment. The sender address may be forged. Contact the person the message appears to be from, via phone or in person, to ask if they sent the message or not. Also see Shared Document Emails Can Be Traps.
  • Hone your phish-detection skills by playing U-M's online game: Don't Fall for Phish!

Flyers You Can Post

Download, print, and post these 8-1/2 x 11 inch flyers:

  • Protect Your U-M Account. Check links in email before clicking, don't open suspicious attachments or shared docs, and look before you log in.
  • Turn on Two-Factor for Weblogin. Your password needs a partner. Turn on two-factor authentication for Weblogin for an extra layer of security for your personal information at U-M.

Digital signs are also available in U-M Box in Safe Computing - Security Tips.