UNIVERSITY PARK, Pa. – The Office of Information Security (OIS) said Penn State students, faculty and staff should be on alert for text message phishing scams, called “smishing,” which attempt to hack users’ Duo two-factor authentication account and access their Penn State accounts.
The smishing scam operates by sending a text message requesting a Duo authorization code to access the user’s Duo profile. Hackers are then able to add their devices to the account and receive two-factor authentication push notifications, generate access codes impersonating the Duo user or even push Duo notifications for the user to accept.
To avoid such scams, OIS warns students, faculty and staff to never reply to such text messages requesting a Duo code. Additionally, Duo users are advised to log in and review their devices to ensure there are no old devices or devices they do not recognize as their own. To manage devices, please visit Penn State’s accounts website.
“Two-factor authentication systems, like Duo, add an extra layer of security reduce risk caused by stolen credentials,” said Richard Sparrow, Penn State’s interim chief information security officer. “Two-factor has proven to very effective. As a result, attackers have started to adjust scam strategies to try getting around these two-factor authentication systems. It is important for the community to be aware of scams like this to protect their work and research.”
Anyone who thinks they may already have replied to a fraudulent text message should contact OIS at security@psu.edu. For more information on Duo two-factor authentication or for security-related questions, please visit the OIS website.