We’re seeing more sophisticated phishing attacks targeting the entire University community— including faculty, staff, students, and alumni—with alluring messages designed to deceive you into revealing sensitive information. One recurring scheme attempts to strike fear by saying your University account needs to be validated so it doesn’t expire, but then redirects you to a form to obtain your login credentials. The University would never send a message like that! If you do click on a phishing link, be sure not to give away information such as your username, password, or multi-factor authentication (MFA) codes.
Some of these attacks have requested login information using a Google form. Passwords should never be entered into a Google form! Other phishing attacks may use a link that leads to a site that appears to be a clone of the University’s login page but is most definitely not. Before entering your UD credentials, always look at the link and verify that the hostname ends in .udel.edu—if the URL ends in anything else, it is likely bogus. If you think you have received a phishing email, be sure to report it right away via the new Phish Alert Button (PAB).
There has also been an uptick in attacks targeting cell phones via SMS text messages, commonly known as smishing. In this type of attack, we have seen the head of departments impersonated and text messages sent to staff within the department. The messages may say “Are you available?” or “Let me know when you get this,” and the phone number of the sender will be unknown to the recipient. The cybercriminal may go on to convey a story to convince you to trust the unknown number. If you receive a message like this from an unknown number, do not engage with the attacker—instead, contact the person being impersonated via a known and trusted method.