Protect Yourself: Fighting MFA Fatigue

Protect Yourself: Fighting MFA Fatigue

MFA FatigueLast week, OIT notified the campus of a successful phishing campaign targeting the SMU community. In this campaign, we noted that cybercriminals had begun using a new technique where they repeatedly send Duo requests to users who have shared their username and password to annoy users into approving the two-factor request.

This technique, referred to as “MFA fatigue,” has become increasingly common, and over the next several weeks, OIT will begin implementing measures to combat this trend. In the meantime, we recommend you take the following actions if you notice something suspicious:

  1. If you have provided your credentials to a suspicious site, please reset your account password immediately. You can reset your password via smu.edu/password or call the IT Help Desk at 214-768-4357.
  2. suspicious 2fa requestIf you are receiving a Duo push but are not actively logging into an SMU service, DO NOT APPROVE the push! If this happens, it indicates that your account credentials are in someone else’s hands or they are using one of your devices!Please deny the push request and immediately change your password.

    We know it’s annoying to receive a repeated notification from Duo, and you may just want it to stop. However, hitting the approve button grants them access to your account and any system you have access to.

Your SMU ID and password grant access to a myriad of resources and a large amount of data. You have a responsibility to help protect your information as well as the information across SMU by safeguarding your account access at all times. Phishing exploits will continue despite the various tools and technologies we implement to help block these attempts. Not only is it critical to understand the anatomy of a phish, so you can better spot them, but it is also critical to know what to do if you fall prey to a phish.

Remember, OIT will never ask you to verify your account, renew your services, or provide your credentials via email. The majority of the SMU applications utilize the same login screen, which prominently features the following:

idp.smu.edu sample page

  1. SMU Logo
  2. Service Name
  3. URL begins with idp.smu.edu

If you are in doubt about the legitimacy of the site, don’t log in!

Sign InA service page hosted on smu.edu/oit has the official sign-in button. When in doubt, locate the service page on our site and log directly in using that page rather than any link in an email.

Print Friendly, PDF & Email

Published by

George Finney and Rachel Mulry

George Finney is the Chief Security Officer at Southern Methodist University. He is responsible for implementing and monitoring a diverse security infrastructure to protect the University network and data.