It was Friday just before a holiday, when the University, including URMC and Affiliates, came under a phishing attack. An email from a URMC email address started circulating, seeking immediate response and actions. Some of the subject lines were:

“Urgent Response Required!”

“Verify Your Office 365 Account”

“Important Notice for all Users”

This was the start of what users experienced on Friday.

“An Information Security investigation determined the attack started on Wednesday, with sophisticated communications directed at a single person. Once that account was compromised, it was used on Friday to further the attack,” says Mark Ballister, Chief Information Security Officer.

“Recipients of the scam email were directed to click a link or copy and paste a link into their browser and provide verification information. The links took the recipients to a page that appeared like an official University of Rochester webpage with a form to fill out. The form requested information including email address, password, telephone number, and alternative email address.”

Using the information submitted to the fake website, the attacker began communicating with more people.  Recipients received phone calls and SMS/text messages from the attacker who was pretending to be a help desk. The fake agent asked the recipients to provide the DUO passcode which was then used to login to their mailboxes.

Examples of the phishing emails that circulated University of Rochester inboxes below

How to Protect the House

“Over the years, cyber-attackers have become more sophisticated,” says Jim Forrester, URMC Chief Technology Officer, “we can’t say this frequent enough … we need to remain vigilant and skeptical.”

“Be cautious of unsolicited emails, messages, or phone calls, especially if they request sensitive information or urge immediate actions,” says Forrester. “Treat all communications from unfamiliar sources with suspicion. Pause before you click.”

Verify the legitimacy of the source. “For a phone call, if the caller identifies that he/she is from the Help Desk and you did not initiate a request for service, hang up and call the Help Desk directly.

“Also, for email, check the sender’s email address, domain name and contact details for any signs of inconsistency or spoofing,” he adds.

“Avoid clicking on suspicious links or downloading attachments from unknown sources. Be cautious of urgency and fear tactics … phishing emails often create a sense of urgency or use fear to prompt immediate action. Be wary of emails that threaten consequences for not taking immediate action or claim that your account has been compromised.”