Skip to content

University Information Technology (UIT)

Main Navigation

Sophisticated, multistep phishing attacks use common tactics

March 26, 2025Larrisa Beth Turner

In October 2024, the University of Utah warned users about a sophisticated, multistep phishing attack that used a combination of emails with fake job offers and account verification requests, Google forms, fake university webpages, and smishing (SMS phishing) to collect usernames, passwords, email addresses, and other personal information. With this information, the attacker could potentially have gained access to users’ university and personal accounts.

Given the level of sophistication, was the phishing attack more difficult to detect than normal?

Jesse Adams, associate director for the Information Security Office’s (ISO)Security Operations Center (SOC), said many phishing attacks are low-level pass-through scams like an email claiming your bank account is overdrawn and that you need to log in using the provided link to deposit money to avoid fees — the end. More sophisticated phishing attacks are multistep campaigns that use several tactics like credential phishing, impersonation, and multifactor authentication (MFA) fatigue attacks to gain login and personal information and bypass IT security, like Duo.

All phishing attacks, however, use similar methods to trick people into divulging information, giving away money, opening suspicious links, or downloading/installing malicious software.

“It's really about the contents of the message,” Adams said. He watches for the following red flags:

  • Sense of urgency
  • Messages from people you don’t know
  • Unexpected or unusual messages from people you normally communicate with
  • Messages from people claiming to be in leadership positions at the university that use non-utah.edu email addresses
  • Text messages from the university with a link to log in to an account
  • Requests for money or gift cards, especially when the person says they cannot meet in person or talk on the phone but can email back and forth
  • Requests to take the communication to a different channel (e.g., email to text messages)
  • Review other common red flags on the ISO’s Phish Tank website.

Report phishing

If you receive a phishing attempt through a university email account, immediately report it using the Phish Alert button.

  • Open or select the suspicious message, then select the Phish Alert button.
  • If your email client does not have the Phish Alert button, forward the email as an attachment to phish@utah.edu.
  • For more info on how to report suspicious emails, please visit this IT Knowledge Base article.

If, by accident, you open a questionable link and enter your U login credentials, immediately go to CIS — https://cis.utah.edu/ — and change your password. In addition, contact the SOC at soc@utah.edu to notify information security staff.

If you need additional assistance, please contact your central IT help desk:

  • Main Campus IT Help Desk: 801-581-4000
  • University of Utah Health ITS Service Desk: 801-587-6000

“Those are the ones that the ISO sees people fall for all the time. It’s mostly just not paying attention to who you’re interacting with,” he said.

For example, he said, people often don’t pay close enough attention to the display name, or from header, that indicates the name and email address of the sender. Because they recognize the name of the sender, they don’t look too closely at the email address, which might indicate whether the email is legitimate.

“If the email looks like it’s from the University of Utah, but the email address does not have a utah.edu domain, it’s time to be suspicious,” Adams said. “The message might be from one of our software providers, but they are not — and the university is not — going to send out a password reset form in Google Forms.”

Phishing messages often contain an urgent call to action that is unusual and unexpected. The recipient, however, can confirm the validity of the call to action through other channels. For example, if an atypical request comes from a supervisor (e.g., “I need you buy some gift cards for me. Please text my new cell number when you’re done.”), the recipient can verify its legitimacy by calling or emailing their supervisor using their official contact information.

The October phishing attack used credential phishing via Google Forms before pivoting to another tactic.

“Then, instead of asking for username and password, the attacker asked for personal email address and cellphone number so they could impersonate two-factor services more effectively,” Adams said, noting that users should review every Duo push notification they receive and mark the ones they do not recognize as fraudulent.

When someone marks a push notification as fraudulent, they deny attackers access to their account and notify the SOC about potentially suspicious activity. A SOC employee will review the user’s account and contact them if it’s been compromised.

Although it’s crucial to learn to recognize phishing, it’s just as important to report suspicious emails, texts, calls, forms, and webpages to the ISO.

“You’re probably not the only person who got the phish, but you might be the only person who reports it and saves people a headache, not just for access to university systems but for things like a bank,” Adams said. “Maybe other bank customers are affected, but we can’t reach out to people if we don’t know what’s happening.”

Share this article:
Tags:

 

Node 4

Our monthly newsletter includes news from UIT and other campus/ University of Utah Health IT organizations, features about UIT employees, IT governance news, and various announcements and updates.

Subscribe

Categories

Featured Posts

Last Updated: 3/26/25