Skip to main content

Protect Yourself Against a Two-Factor Phishing Attempt

Fraudulent emails (see how to spot them) are a common way to steal Cornell NetIDs and passwords, and gain access to your private information. Even with two-factor authentication enabled, criminals have found ways to trick users into giving away their login credentials.


Beware of unexpected Duo (Two-Step Login) prompts. Ignore them unless you’re sure you requested them. If you are unexpectedly prompted to use Duo in a way you normally don’t, ignore it and contact the IT Security Office. For example, if you usually use your smartphone’s Duo app, but you instead get a Duo automated phone call or are prompted to enter a passcode, ignore it.

Be Wary of Repeated Login Attempts or Prompts

One way criminals try to get through your defenses is by chipping away at your patience. They start by stealing your NetID and password, then trying to log in to that account over and over and over and over... You get so many authentication requests on your phone that you might accidentally hit "accept" instead of "deny," or you might be tempted to turn off two-step authentication entirely.

The best way to stop this "MFA push spam" is to change your NetID password on the compromised account. Once you change your password, the attacker can no longer send you the authentication request. Contact the IT Security Office if this happens to you.

Look Out for Well-Done Fake Login Pages

Criminals may also trick you into giving them a legitimate two-factor verification code by lulling you into believing you're using a bona fide Cornell site. They send you an email that has a link going to a fake Cornell login page. Even though the page looks correct, the URL is the clue for you that something's not right. For links that take you to a login page, triple-check the webpage address in your browser bar. The real CUWebLogin address looks like this: shibidp.cit.cornell.edu/ (nothing between cornell.edu and the slash).

This fake login page tries to trick you even there; the URL for the server site ends with .net/cornell.edu. If you're in a hurry, you might look at the end of the URL, see "cornell.edu" and think this site's legitimate.

The fake login page has a dot com url with a fake Cornell dot edu address tacked on after a forward slash

Once you enter your NetID and password on this fake page, you are asked to complete the two-factor authentication step. Normally you have three options available: Send me a Push, Call Me, and Enter a Passcode. A phishing site will offer you ONLY the Enter a Passcode option:

The fake login screen is mostly blank, with an option to enter a Duo passcode in a form field, that is faked with the University logo. The URL is outlined in green to show the false server.

Graphically, everything looks legitimate, so you go to your phone, get the Duo passcode, enter it into the website, and click "Log in."

You’ve now been phished.

The criminal has:

  • Your NetID
  • Your password
  • A legitimate Duo code that they can use to log in to your account

The strength of two-factor authentication lies in what you know (your login credentials) and what you have (your phone). If a website tries to bypass one or the other, then do not continue and contact the IT Security Office.

If you think your credentials have been compromised, contact the IT Security Office right away. Criminals keep trying different ways to steal data and the IT Security Office would rather see an old phish than miss a new one.

You’ll notice that this kind of attack originates with the link to the fake Cornell login page. That’s why it’s so important to make sure the link you click is a valid cornell.edu link. Remember, only the text between https:// and the next / tells the computer what server to use. https://it.cornell.edu/two-step lives on a Cornell server. https://it.scam.you/cornell.edu does not.

See also...

About this Article

Last updated: 

Thursday, September 29, 2022 - 3:30pm

Was this page helpful?

Your feedback helps improve the site.

Comments?