Do you suspect you've received a phishing email? Faculty, staff, and students can visit the Flyer Phish Bowl at any time to cross-check questionable emails and stay up to date and identify the latest scams to hit our UD community and see recent phishing incidents impacting our University.
A phishing scam is an attempt to steal your UD credentials (your username and password) or other important personal information. Below are emails that have been reported by the UD community and identified as phishing attacks. See the marked red flags on each phish email to learn how to better spot malicious emails in the future.
April 2024 Vishing (voice phishing) Scam
During this attack, a student received multiple threatening phone calls from phone numbers that appeared to be legitimate UD numbers (937-229-****), where the callers claimed to be officials from the university and threatened to take legal action and even call the police to take the student to jail.
This is a VISHING (voice phishing) SCAM. Scammers can make any number appear on your caller ID. These calls are just one more way a cybercriminal tries to steal your personal information and money.
Do not engage with these callers. Here's what to do if you receive a suspicious call:
- Maintain composure and end the call immediately.
- Do not share personal information, including passwords, social security numbers, or financial details.
- Gather details about the call, such as the phone number and any specific threats made.
- Once you hang up, contact the university using the phone numbers listed on the UD website, not the information displayed on your caller ID.
- Report the scam to the IT Service Center: (937-229-3888 or itservicecenter@udayton.edu).
Remember: UD will NEVER ask for your password or two-factor code. Calls like these are always scams.
For more information on vishing scams, check out the cisecurity.org article: Vishing and Smishing: What You Need to Know.
February 2024 Phish Scam
During this February 7th phishing attack, several students gave up their Duo codes. This enabled the attacker to log into their accounts and send multiple emails throughout campus - allegedly from the Office of the Registrar, IT Service Center, and Udayton Employee Self-Service. The attacker employed a wide range of tactics and common tricks to get a user to take action so they could steal their information, i.e. urgency and threats of account deactivation and attachments and links to an external Google Form tricking a user into providing their personal information and furthering the attack.
January 2024 Phish Scam
This basic internship scam attempted to trick the recipients into opening a malicious attachment. Note the red flags below to help spot other similar scams in the future.
November 2023 Phish Scam
A successful phishing attack on November 21st posed as an urgent IT notice requesting email account closure. This attack was set to trick recipients into entering their passwords and Duo two-factor codes into a web form, allowing the attacker to compromise their UD account and spread the phish internally. The University of Dayton and UDit will NEVER ask for your password or Duo code. Take note of the below red flags of the phish to better spot this kind of attack in the future.
September 2023 Phish Scam
On September 14th one of our campus users fell victim to a sophisticated phishing attempt. The user received an email with an encrypted attachment from “Payroll Department" - outside the University of Dayton:
The user then opened the attachment (a PDF redirecting to a Google form) purportedly from the university, requesting sensitive user information:
Similar to the phishing attack this summer, one of our members provided their personal information into the Google Form, unknowingly providing access to their UD account, which resulted in a new and separate phishing campaign targeting students, sent directly from the victim’s UD email account:
Avoid this and future Phishing Scams:
Protect your Password: UDit will NEVER ask for your password or DUO code via email or form. If you receive an unsolicited email or text asking for such information, it's a scam.
Be Skeptical of Urgent Requests: Scammers often create a sense of urgency to pressure you into making hasty decisions. If you receive a message demanding immediate action or threatening consequences, take a step back and verify its authenticity.
Verify the Sender: Check the sender's email address closely. Cybercriminals often use consumer Gmail accounts (ending with @gmail.com) or official-sounding email addresses but with slight variations or misspellings. Do not be fooled by descriptive names like udcio@gmail.com, “Help Desk,” or “udayton” anywhere besides the “@udayton.edu”
Beware of attachments: The body of the message should contain context and a signature block. Cyber attackers often share a message's body or text as an attachment to get it past our spam filters. If you open an attachment asking for your username or password information or receive a warning within Microsoft Office, stop and report it to UDit.
Report Suspicious Activity: If you received either of the emails above AND entered your data, contact the IT Service Center immediately (937-229-3888, itservicecenter@udayton.edu), and we will work with you to change your password and secure your account.
If you received a suspicious email other than those we shared here, please share that email with the IT Service center (937-229-3888, itservicecenter@udayton.edu), and we will take measures to stop its delivery.
August 2023 Phish Scam
This August 8th phish scam attempted to trick the recipient into replying to further a social engineering ploy around fake Covid relief money. The vigilant recipient did not bite. Notice the red flags below and utilize this resource for tips on spotting and avoiding similar scams in the future:
7 Ways to Avoid Employee Retention Credit Scams
July 2023 Compromised Google Account
This July 24th attack email went to a student’s personal account with the goal of compromising his UD account. He clicked the link and ended up giving them enough Personally Identifiable Information (PII) via the web form below to be able to answer password reset challenge questions. The bad guy got the help desk to reset his password, but not to reset his DUO device.
When the user clicked on the Click to apply link this page appears and is attempting to harvest PII (it's displayed in two columns due to the length of the page):
July 2023 Compromised Google Account
This July 18th attack used a compromised Google account by the bad guys trying to collect usernames and passwords. Note the red flags to help spot future attacks like this one:
June 2023 Fake Job Offer - Check Fraud Scam
This June 16th phish is attempting to get recipients to hit their malicious web site and / or submit personal information via a resume. Those who bit on this phish were then sent a check and asked to spend what they needed and return the rest electronically before the check bounced. The attacker would get money "back" while the victim was on the hook for funds that didn't exist. This was sent from an internal account which had been compromised earlier to make it seem more official and get past external flagging. Note the red flags which indicate it's an attack:
June 2023 Credential Harvesting Scam Attack
This scam attack happened between 6/8/23 and 6/14/23 and attempted to get users to go to a fake site with UD branding and enter in their credentials to compromise their accounts. Notice the red flags called out in the screenshot of the email:
Malicious Credential Harvesting
This is a malicious credential harvesting site. The red flags are called out here as well:
May 2023 Malicious Document Attack
This phish attack occurred 5/19/23 sent to multiple users in an attempt to get them to download a malicious document to infect their systems. Note the red flags below indicating why it's suspicious:
April 2023 Fraudulent HR Tax Document Scam
This phishing attempt happened 4/24/23 and attempted to trick the recipient into going to a malicious site to compromise their system under the guise of fixing "tax forms" sent from "HR". Note the red flags below:
