Criminals who’ve stolen WUSTL Keys and passwords are masquerading as IT support over text messages to get us to enter Duo verification codes. Legitimate WashU employees will not ask you to enter codes into your Duo app. Only enter a verification code if you are logging in for yourself. Do not enter a code given to you by someone else.
If you receive text messages like the ones below, please do not interact with the sender and do not enter verification codes in the Duo app. When in doubt, you can always verify by calling the Service Desk at 314-933-3333.
- Be suspicious of any text claiming to be from IT or the Service Desk.
- Reject any Duo push notification unless you are actively using the WUSTL Key login.
- Look at the geo-location information in the Duo push notification. If you are not actively logging onto a web page from that general location, assume it’s a scam.
Entering verification codes given to you by someone else grants them full access to your account and its privileges. This can lead to monetary or intellectual property loss.
Here are some helpful tips for avoiding a scam like this one:
If you receive a suspicious text message, the best action to take depends on the situation. Since texts aren’t managed by WashU IT systems, you will often need to reach out to your specific provider.
- If it’s clearly fake, report it.
- If you aren’t sure if it’s a fake, call the Service Desk at 314-933-3333.
- If you get a Duo push notification and aren’t trying to log in, reject it and reset your password.
Additional Resources
Phishing | Office of Information Security | Washington University in St. Louis
Phishing 101 | Office of Information Security | Washington University in St. Louis
Vishing | Office of Information Security | Washington University in St. Louis (wustl.edu)