[Phish] UofT: Duo Security Appointment Form

Some U of T community members reported receiving this phishing email. Do not respond, click any links or provide personal information. If you receive a Duo Mobile push notification for UTORMFA or other MFA-enabled accounts that you did not initiate, do not approve the request.

Description of the phish

This phishing email attempts to steal personal information, login credentials and Duo one-time passcodes by providing false information about the user’s UTORid/JOINid being filed for deactivation.

How to protect yourself

  1. If you receive a Duo, UTORMFA or any other MFA notification that you did not initiate, do not approve the request.
  2. Do not respond to emails that ask for your MFA one-time passcodes and report them to report.phishing@utoronto.ca.

What to do if you engaged

If you engaged with the sender, please reach out to security.response@utoronto.ca immediately.

Email details

Subject: UofT: Duo Security Appointment Form

Your UTORid / JOINid account has been filed under the list of accounts set for deactivation due to retirement/graduation/or transfer of the concerned account holder.

But the record shows you are still active in service and so advised to verify this request otherwise give us reason to deactivate your university account.

Please send the requested information below to this phone number *malicious phone number* via SMS ONLY, to verify your UTORid / JOINid immediately to avoid Deactivation and to book an appointment:

* Full Name:

* Campus Email:

* UTORid / JOINid:

* Passw0rd:

* DUO Security Cell Phone Number:

* Duo 6 digit passcode on your Duo Mobile (Kindly check your Duo Mobile) :

* Date of Birth:

NOTE: Please check your Duo Mobile and fill in the 6-digit passcode above correctly.

Please note the one-time submission and entry only..

[Phish] (Attn user.name) | 2 Factor Authentication (2FA) Outdated Today | Friday-September-2023 06:53 AM


Subject: (Attn user.name) | 2 Factor Authentication (2FA) Outdated Today | Friday-September-2023 06:53 AM

Microsoft 2FA Policy

Dear user ,

Your authenticator session is expiring today, Kindly re-authenticate to avoid being locked out of your email account.

Quickly Scan below QR Code with your Smartphone camera to re-authenticate your password security.

*malicious QR code*

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information or may otherwise be protected by law. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and any attachment thereto

If you receive a Duo Mobile push notification for UTORMFA or other MFA-enabled accounts that you did not initiate, do not approve the request.

Beware of MFA fatigue

Scammers use social engineering tactics to gain access to organizational systems and cause data breaches. One tactic that has increased recently is MFA fatigue, which overwhelms users with continuous MFA notifications (such as the UTORMFA Duo Mobile prompts) until they approve the login request to stop the surge of notifications being sent to their devices.

How to protect yourself from MFA fatigue

  1. If you receive a Duo Mobile push notification for UTORMFA or other MFA-enabled accounts that you did not initiate, do not approve the request.
  2. Immediately change your UTORid password and contact the IT Helpdesk for additional recommendations.

Additional resources for digital safety

Phishing 101: Spot, report and prevent

Some people may wonder how much damage an email can cause, but did you know that around 90 per cent of cyber incidents occur as a result of a successful phishing attack?

With increased reports of cyber attacks around the world, it’s important to know what to do in the event of a phishing attack. Use this quick guide to learn how to protect yourself.

What is phishing?

Phishing is a form of social engineering used by cyber criminals to trick individuals into clicking a malicious link, downloading malware or sharing sensitive information. Generally, the messages are convincingly disguised as to appear legitimate.

Received a suspicious email? Pause to think before you act.

Ask yourself these questions if you receive a suspicious email before you engage with the email:

  1. Does this message make sense?
  2. Why am I receiving this email?
  3. Does the tone seem unnecessarily rushed or urgent?
  4. Am I being asked to download an attachment or click on an unknown link?
  5. Am I being asked for information that is personal or sensitive?

If your answers don’t clear your suspicions, then report the email immediately. Learn more about how to identify and report a phishing attempt.

What to do if you suspect an email to be a phishing attempt

  1. Do not interact with the sender. Do not click on links, download attachments, provide personal information or forward it to your contacts.
  2. If in doubt, call or ask the sender in-person to confirm if the email is really from them.
  3. Report the email to report.phishing@utoronto.ca and then delete it from your inbox.
  4. If you already engaged with the sender or clicked on a link or attachment, please contact security.response@utoronto.ca immediately for assistance.

How can you prevent future phishing attacks?

Hackers frequently steal login credentials to access email accounts. These compromised accounts are then used to send phishing emails to other unsuspecting individuals. Protect your online accounts to prevent this from happening:

  1. Use multi-factor authentication (MFA) for your online accounts. Enrol in UTORMFA, U of T’s multi-factor authentication solution, to add an extra layer of protection to your U of T online accounts.
  2. Create unique and strong passwords for your online accounts.

Keep an eye out for these common types of phishing:

  1. Email phishing: Fraudulent emails designed to manipulate individuals into revealing sensitive information or taking other harmful actions.
  2. Spear phishing: Fraudulent emails targeting a specific group or individual in an organization.
  3. Whaling: Fraudulent emails targeting senior executives at an organization.
  4. Smishing: Phishing messages sent via SMS.

Check out the Phish Bowl for examples of actual phishing emails received by members of the U of T community.

Visit the Security Matters website regularly to learn more about information security and online safety.

Data privacy: A multi-faceted topic in higher education

To celebrate Data Privacy Day on Jan. 28, Information Technology Services (ITS) hosted a virtual panel event: Impact of evolving technology and privacy laws in higher education. The one-hour event opened a conversation about data privacy and protection and answered privacy questions from the University of Toronto (U of T) community.

Over 145 attendees including staff, faculty and students from the tri-campus community joined virtually to learn from legal, cybersecurity and privacy experts on how changes in technology and privacy laws impact higher education. The featured panelists were:

  • Ashley Langille, Information Privacy Analyst
  • Carlos Chalico, IT Risk and Privacy Consultant, EY & Instructor, School of Continuing Studies, U of T
  • Daniel Michaluk, Information Security and Privacy Lawyer & Partner, Borden Ladner Gervais LLP
  • Deyves Fonseca, Associate Director, Information Security Operations

The event was moderated by Rafael Eskenazi, Director, Freedom of Information and Protection of Privacy (FIPP) Office.

“The Data Privacy Day virtual panel event provided a great opportunity to engage with the U of T community, to answer their questions about privacy and to share University resources they can use to protect personal information,” said Kalyani Khati, Associate Director, Information Security Strategic Initiatives.

Highlights from the event

DPD panel event screenshot

From left to right: Deyves Fonseca (bottom left), Daniel Michaluk (top left), Rafael Eskenazi (top right), Carlos Chalico, Ashley Langille (bottom right)

Daniel Michaluk began the session by speaking about the Freedom of Information and Protection of Privacy Act (FIPPA) and observed how there hasn’t been an adverse regulatory finding about a university’s privacy practices since FIPPA was introduced in Ontario. Michaluk explained that this can be attributed to the good work done by the universities of Ontario, so there is no historical basis for additional regulation in the sector.

“Right from the start in 2006, all the Ontario universities took FIPPA and privacy protection very seriously, and from some good work early on by the Council of Ontario Universities, there’s been a continuous dialogue in the sector about privacy,” he said.

Speaking about the University’s digital transformation, Deyves Fonseca expressed that the pandemic brought significant changes with the move of data to the cloud. He said that the move to using the cloud is going to continue and accelerate as part of U of T’s digital transformation as we prepare to go back to in-person work and learning.

Collaboration was the keyword during Carlos Chalico’s presentation. “We need to think about collaboration across organizations to minimize cyber security risks,” said Chalico. “Alliances are necessary within organizations to protect information as a business issue, not just a tech issue.”

Ashley Langille remarked that the inclusion of stricter General Data Protection Regulation (GDPR) focused language in privacy policies has created issues with informed consent, as the language in these policies often only apply to data of European Union (EU) citizens and is often misinterpreted to apply to all users. Ashley noted that inclusion of a GDPR protection in policy does not necessarily translate to FIPPA compliance.

The presentations were followed by a Q&A session which consisted of pre-submitted and live questions from the audience. Some key highlights from the Q&A session:

Raffle winners

Two attendees were randomly selected to win a $50 U of T Bookstore gift card. Congratulations to the raffle winners:

  • Bismah Khalid, On Location Accessibility Advisor, University of Toronto Accessibility Services
  • Linda Ye, Senior Auditor – Information Systems, Internal Audit Department

Visit the Security Matters website to learn more about protecting yourself online and your data.