Many institutions of higher learning are falling prey to an increasing number of phishing attacks. Simmons is no exception. Phishing attacks have soared 220%1 since the beginning of the pandemic. Despite our active monitoring efforts and alerts to the community, too many of us still fall victim. Breaches of Simmons login credentials this month have resulted in compromised computers used to send even more phishing messages and most recently unlawful access to Workday where banking information was exposed and in one case changed. Giving up your password to a phishing site has serious consequences.
Tag Archives: 202201
Phishing and Imposter Websites
Cybercriminals are adept at creating imposter websites that look like standard login pages for Google, Microsoft Live, and even Simmons’ own login page. Simmons login page url will always begin with “idp.simmons.edu” and any other url even if it contains “simmons.edu” later in the text is not our login page.
Sharkpass/DUO Do’s and Don’t
While Sharkpass/DUO gives us an edge against cybercriminals, it is not foolproof. Imposter login websites often include a false DUO page and ask for you to input a code from your DUO mobile app. Doing so gives up your account to thieves who then have access to your personal information and the ability to direct your paychecks or refunds away from your bank account. Simmons Sharkpass/DUO page will also only begin with “idp.simmons.edu.”
What else you should and shouldn’t do
- Change your password regularly.
- Report phishing messages you receive in the Gmail menu with “Report Phishing”
- Don’t forward phishing messages to anyone. Friends and colleagues can fall victim too.
- Consider using Gmail’s mobile apps on iPhone and Android instead of the provided mail apps. Gmail’s app presents warnings about suspicious messages and allows you to report phishing messages.
- Don’t click on links or download attachments from messages you are not expecting.
Remember, real Simmons sites start with “idp.simmons.edu!”
What we’ll be doing
Simmons Technology continues to review recent incidents and take actions that make our infrastructure safer and less appealing to cybercriminals but there isn’t much we can do if you give away your credentials online. In an effort to make our login process more secure, we will be doing the following in the near future:
- Removing DUO mobile passcode, phone callback, and SMS passcode features from Sharkpass/DUO. Logging in will require utilizing a “Push” to your mobile device.
- For those unable to use the DUO Push notification on their mobile app, hardware tokens and security keys will be made available.
- Implementing a mandatory password reset for the community.
We realize these measures will cause a small change in the way some of us work and utilize Simmons resources. We are confident that after a brief adjustment, all will be able to adapt and aid in helping create a safer online environment. Please stay tuned for more information about these upcoming information security changes. And please reach out to me or the Technology Service Desk ([email protected] or 617-521-2222) with any questions or concerns.
Thank you,
David Bruce
Vice President, CIO
Simmons University