It was Friday just before a holiday, when the University, including URMC and Affiliates, came under a phishing attack. An email from a URMC email address started circulating, seeking immediate response and actions. Some of the subject lines were:
“Urgent Response Required!”
“Verify Your Office 365 Account”
“Important Notice for all Users”
This was the start of what users experienced on Friday.
“An Information Security investigation determined the attack started on Wednesday, with sophisticated communications directed at a single person. Once that account was compromised, it was used on Friday to further the attack,” says Mark Ballister, Chief Information Security Officer.
“Recipients of the scam email were directed to click a link or copy and paste a link into their browser and provide verification information. The links took the recipients to a page that appeared like an official University of Rochester webpage with a form to fill out. The form requested information including email address, password, telephone number, and alternative email address.”
Using the information submitted to the fake website, the attacker began communicating with more people. Recipients received phone calls and SMS/text messages from the attacker who was pretending to be a help desk. The fake agent asked the recipients to provide the DUO passcode which was then used to login to their mailboxes.
Examples of the phishing emails that circulated University of Rochester inboxes below
How to Protect the House
“Over the years, cyber-attackers have become more sophisticated,” says Jim Forrester, URMC Chief Technology Officer, “we can’t say this frequent enough … we need to remain vigilant and skeptical.”
“Be cautious of unsolicited emails, messages, or phone calls, especially if they request sensitive information or urge immediate actions,” says Forrester. “Treat all communications from unfamiliar sources with suspicion. Pause before you click.”
Verify the legitimacy of the source. “For a phone call, if the caller identifies that he/she is from the Help Desk and you did not initiate a request for service, hang up and call the Help Desk directly.
“Also, for email, check the sender’s email address, domain name and contact details for any signs of inconsistency or spoofing,” he adds.
“Avoid clicking on suspicious links or downloading attachments from unknown sources. Be cautious of urgency and fear tactics … phishing emails often create a sense of urgency or use fear to prompt immediate action. Be wary of emails that threaten consequences for not taking immediate action or claim that your account has been compromised.”
Think before you click or give out sensitive information
When you suspect a phishing attempt, here’s what you should do:
- Never give out your password.
- Never give an SMS passcode to anyone and be aware that IT will never request a Duo code from you unless you initiate the call.
- If you think your UR or URMC account has been compromised, contact the University Help Desk (585.275.2000, firstname.lastname@example.org) or URMC ISD Help Desk (585.275.3200, ISDHelpdesk@URMC.Rochester.edu)
- Should you receive emails claiming to be the Help Desk, do not response to the message, but instead reach out to them directly (University Help Desk: 585.275.2000 or URMC ISD Help Desk: 585.275.3200).
- If you receive an email from someone, you do not usually communicate with (even if it appears internal), do not click any links or respond to the email. Instead, forward the email as an attachment to email@example.com.
- The Help Desk will never send shortened hyperlinks and will always include the full extended version.
- Information Security https://tech.rochester.edu/security/
- Security Tips https://tech.rochester.edu/security-tips-archive/
- IT, Security & Privacy Program https://sites.urmc.rochester.edu/departments/it-security-privacy-program/