Skip to main content

Cornell University

Protect Yourself Against a Two-Factor Phishing Attempt

Fraudulent emails (see how to spot them) are a common way to steal Cornell NetIDs and passwords, and gain access to your private information. Even with two-factor authentication enabled, criminals have found ways to trick users into giving away their login credentials.

On This Page

Beware of unexpected Duo (Two-Step Login) prompts. Ignore them unless you’re sure you requested them. If you are unexpectedly prompted to use Duo in a way you normally don’t, ignore it and contact the IT Security Office. For example, if you usually use your smartphone’s Duo app, but you instead get a Duo automated phone call or are prompted to enter a passcode, ignore it.

Be Wary of Repeated Login Attempts or Prompts

One way criminals try to get through your defenses is by chipping away at your patience. They start by stealing your NetID and password, then trying to log in to that account over and over and over and over... You get so many authentication requests on your phone that you might accidentally hit "accept" instead of "deny," or you might be tempted to turn off two-step authentication entirely.

The best way to stop this "MFA push spam" is to change your NetID password on the compromised account. Once you change your password, the attacker can no longer send you the authentication request. Contact the IT Security Office if this happens to you.

Look Out for Well-Done Fake Login Pages

Criminals may also trick you into giving them a legitimate two-factor verification code by lulling you into believing you're using a bona fide Cornell site. They send you an email that has a link going to a fake Cornell login page. Even though the page looks correct, the URL is the clue for you that something's not right. For links that take you to a login page, triple-check the webpage address in your browser bar.

The real CUWebLogin address looks like this: shibidp.c/ (nothing between and the slash).

This fake login page tries to trick you even there; the URL for the server site ends with .net/ If you're in a hurry, you might look at the end of the URL, see "" and think this site's legitimate.

The fake login page has a dot com url with a fake Cornell dot edu address tacked on after a forward slash

Once you enter your NetID and password on this fake page, you are asked to complete the two-factor authentication step. Normally Duo will use the method you used most recently, or the method you have chosen from the Other options list of methods. 

A phishing site will offer you ONLY the Enter a Passcode option, and will have an address from an unrecognized website domain.

The Duo Universal Prompt will only appear on the web domain.

The Duo Universal Prompt will have "" as part of the address

Graphically, everything looks legitimate, so you go to your phone, get the Duo passcode, enter it into the website, and click "Log in."

You’ve now been phished.

The criminal has:

  • Your NetID
  • Your password
  • A legitimate Duo code that they can use to log in to your account

The strength of two-factor authentication lies in what you know (your login credentials) and what you have (your phone). If a website tries to bypass one or the other, then do not continue and contact the IT Security Office.

If you think your credentials have been compromised, contact the IT Security Office right away. Criminals keep trying different ways to steal data and the IT Security Office would rather see an old phish than miss a new one.

You’ll notice that this kind of attack originates with the link to the fake Cornell login page. That’s why it’s so important to make sure the link you click is a valid link. Remember, only the text between https:// and the next / tells the computer what server to use. https:/two-step lives on a Cornell server. does not.

Report Suspicious Email with PhishAlarm

If you receive a suspicious email with login prompts or asking for other personal information, report the message to the IT Security Office using PhishAlarm.

The button appears in different places, depending on your device and Gmail or Outlook interface. Examples and additional details can be found on the PhishAlarm instructions page.


To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.