Protect yourself from phishing

If you think you may have fallen victim to an attack, change your password immediately and contact the IT Help Desk so that we can investigate.

Phishing is an attempt to obtain sensitive information such as passwords and credit card details via email by disguising as a trustworthy entity.

To avoid a phishing attempt or report a phishing email, please see Mark as phishing in Gmail.

Steps to protect yourself

  1. Do not respond to any requests for your password.
  2. Be skeptical of any email which asks you for private information, including emails that appear to come from your supervisor or professors.
  3. Analyze any message carefully that comes from unfamiliar sources or conversations that you did not initiate. Telltale signs of phishing include From: and Reply-To: fields to mask the source of the email, salutations using strange language or grammar, unreasonable sense of urgency, unfamiliar financial institution, requires the recipient to click on a link, etc.
  4. Never include your password in an email. Under no circumstances should anyone ever ask for passwords via email.
  5. Report the message as phishing in Gmail to help protect others who may have received a similar phishing email.

If you question the legitimacy of an email and would like a second opinion, forward the message to the IT Help Desk, [email protected].

Email from UIndyIT will always be signed by an employee and will never ask for your password. 

Actual examples of recent phishing at UIndy

  • Attackers attempt to steal your cell phone number after obtaining login credentials. Once they obtain your number, they impersonate University leadership—including recent cases where Chris Plouff was impersonated to ask for sensitive information, wire transfers or gift cards.
  • Phishing scam using Docusign
  • Attackers pretending to be faculty or employers with enticing internship offers. If the recipient engages with these emails, there’s a brief back and forth about the requirements for the internship or “research assistant” position before being asked to submit an application and being given directions related to banking information.
  • Attackers sending an email that suspiciously looked like a Google Drive shared document (for example, with the title “Feedback_on_Staff_Effectiveness_.docx).
  • Attackers impersonating UIndy employees by opening a Yahoo or Gmail account, using legitimate first and last names of employees. The attackers then target UIndy faculty and staff within the same department with a brief email, simply asking, “Are you available?“  If engaged, the fraudsters request favors and gift cards for family members.

MFA Fatigue Attacks

One common technique being used is called MFA (Multi-Factor Authentication) fatigue. In these attacks, an unauthorized person—having obtained your username and password—repeatedly sends DUO Push notifications, texts, or phone calls, hoping you’ll eventually approve a request out of confusion or frustration.

If you receive DUO prompts that you did not initiate:

  • Do not approve any requests.
  • Immediately change your UIndy password.
  • Report the incident to our IT team at [email protected].
  • Use the “Report as Fraud” feature in the DUO app when prompted.