Example 251: Fake University of Minnesota Login Pages

Scammers craft fake University login pages to harvest passwords and bypass Duo.

Fake login pages are typically delivered as a link in a scam email, often with a notice like “you have a secure message” or “your account will be closed.” Scammers are trying to capture user ID and password combinations and then trick people into typing in a Duo code in a fake prompt or accepting a Duo push that they did not initiate. These attacks have gotten more sophisticated, where passwords are tested immediately after being harvested by the fake login page, making it harder to differentiate your login attempts from theirs. 

These phishing emails may come from a non-University email address, a non-U account that tries to impersonate a University person or group, or a University account that has been compromised. 

Checking to see if an email is legitimate is harder to do on your phone or tablet. You may not easily see who is actually sending the email and you can’t review the web link within the message without additional steps. When in doubt, check the email from a computer instead.

Indicators of Phishing

  • Email is suspicious and/or unexpected.
  • Unrecognized sender email address impersonating the University.
  • Message is mysterious or of inflated importance.
  • URL link is strange or suspicious.
  • Login URLS are not umn.edu.
  • A new login page(s) appears when you’re already signed in.

What to Do If You Receive One of These

  • Do not reply, click the link(s), or login (if you do click the link).
  • Forward the scam email to [email protected].
  • Report it as phishing to Google. In Gmail, select the three-dot More menu next to Reply and choose Report phishing to help educate Google's filters to block similar messages in the future.
  • For more information, please see: Recognize and Report Email Scams

Examples

From: UMN <[email protected]>
Date: Fri, Jun 10, 2022 at 7:12 PM
Subject: UMN Notification(s)
To: <[email protected]>

1 New Important Message.

Open Message
<hxxps://www.hyperhub.com.au/newhub/api/email/track?client_id=39&email_id=510&send_id=202469&type=clickLink&url=aHR0cHM6Ly90ZXJ1aW5ldC5jb20vdW1uLmVkdQ= > 
University of Minnesota

Fake University Login Page

A fake Duo passcode page with text callouts displaying the non-UMN address and that the Duo “Remember me” option has settings not available at the University.
A fake UMN login page with text callouts displaying that the page does not have a University address, is missing the standard search bar that login pages have, and shows which help links on the page may also be broken or lead to other non-UMN pages.

Fake Duo Passcode Page

A fake UMN login page with text callouts displaying that the page does not have a University address, is missing the standard search bar that login pages have, and shows which help links on the page may also be broken or lead to other non-UMN pages.
A fake Duo passcode page with text callouts displaying the non-UMN address and that the Duo “Remember me” option has settings not available at the University.