Skip to main content
Santa Clara University
Information Services
Information Security

SCU Security Guides

  1. Home
  2. Information Services
  3. Information Security Office
  4. SCU Security Guides
  5. How to Identify an SMS Phish

How to Identify an SMS Phish

Overview and details on how to identify an SMS phish.

How to Identify an SMS Phish

Phishing attacks aren’t limited to emails; they also target people through SMS. The example below shows a classic attempt to trick a user into sharing a Duo multi-factor authentication (MFA) code using a “man-in-the-middle” (MITM) approach. Let’s explore the red flags in this message and how to protect yourself.

Key Identifiers of This Phishing Attempt:

SMS + Duo Code phish
  • Unusual Capitalization and Spacing: Notice the inconsistent capitalization in phrases like "Microsoft office365 help desk IT." Legitimate messages are usually well-formatted and clear.
  • Incorrect Email Provider: This message mentions Microsoft Office365, but SCU uses Google for email, not Microsoft. Phishing messages often contain generic or incorrect details.
  • Generic Sender and Urgent Tone: The sender’s phone number is unrecognized, and the message creates urgency, claiming your account could be deactivated. Official messages will come from familiar contacts and won’t use pressure tactics.

What’s Happening Here?

This is a Man-in-the-Middle (MITM) attack aimed at bypassing Duo MFA. Here’s how it works:

  1. Attacker Has Your Password: By the time you receive this SMS, the attacker has likely obtained your password from a previous phishing attack.
  2. Triggering a Duo passcode: When the attacker attempts to log in using your credentials, they will need to get past Duo. So they trick you. The attacker sends you an SMS posing as IT support or some other pretend authority. When you reply, they tell you they will send a code for you to reply with to “verify” you. Then they immediately log into an SCU application using your password. When they get the Duo prompt, they tell Duo to send an SMS code, which the attacker knows will go to you.
  3. Tricking You into Sharing the Code: The attacker then asks you to share the code Duo has sent to you, claiming it’s needed to prevent account deactivation. Once you share it, the attacker has everything they need to access your account without your knowledge.
  4. Attack Variations: This attack scenario could work with a Push as well. If you get a text message telling you to approve a Duo Push, it’s a scam. Information Services does not contact end users via SMS. Attackers might claim to be from an SCU office or service. Always verify the legitimacy of the SCU office or service by checking contact information on the official SCU website. Do not rely solely on the message itself.

Protect Yourself

Duo SMS
  • Know What a Real Duo SMS Looks Like: Here is an example of an authentic Duo SMS message. Duo will explicitly instruct you not to share your code with anyone, including staff members.
  • Never Share Duo passcodes: Remember, IT support will never ask you for your Duo passcode sent via SMS. If anyone asks for it, it's likely a scam. (Note: we do use Duo “Push” to verify identities; but this stays on your phone that you control.).
  • Verify Suspicious Requests: If you receive a suspicious request, contact the SCU Technology Help Desk at techdesk@scu.edu, or at (408) 554-5700, rather than replying to the message. You can also visit the SCU Information Services page at https://www.scu.edu/is/ for more information.

By recognizing these red flags and understanding how Duo MFA works, you can protect your account from unauthorized access and stay one step ahead of attackers.

Nov 12, 2024