Carnegie Mellon University
February 25, 2015

Security Alert: Email Scam Targets CMU Employees for Potential Payroll Theft

Dear Campus Community,

On December 4, 2014 the Information Security Office (ISO) published an information notice titled “Scam Alert: Higher Ed is Target of Direct Deposit Thieves”. This notice can be found on the ISO’s home page at www.cmu.edu/iso. The article warned of phishing email attacks targeting schools for the purpose of stealing credentials and using them to alter the victims’ direct deposit information.

On Saturday, February 21, 2015, nearly 200 Carnegie Mellon users received a phishing email that appears to have been designed for this purpose. The email’s subject was, “Your Salary Raise Information”. A link in the message led to a well-crafted copy of Carnegie Mellon’s login page. After providing their login information, victims were redirected to campus web sites. Later, the attacker used a subset of the harvested login information to access Workday. Workday is the system used by employees (including work study and some grad students) for payroll, human resources and time tracking information.

While the investigation is ongoing, there is no evidence that any Workday data was modified and known victim accounts, of which there were relatively few, have been secured. Only data accessible to the individual victims’ accounts was ever at risk.

This event serves as a reminder of the importance of remaining vigilant to phishing email. The ISO recommends a few safeguards to avoid becoming a victim of phishing attacks.

  1. Verify the authenticity of suspicious or unexpected emails before you click.
  2. Be aware that fraudsters can easily copy CMU webpages including login pages. Don’t trust a webpage just because it looks right, especially if you arrive via an email link. Check the URL before you provide your credentials. It should begin with the URL documented by the service provider. For example, “https://login.cmu.edu” is the URL for Web Login.
  3. Report concerns as soon as possible. You can reach the ISO incident response team at iso-ir@andrew.cmu.edu. In the event of an information or network/computer security emergency, call the ISO at x8-2044.
  4. Learn how to spot phishing emails by taking Anti-Phishing Phil and Anti-Phishing Phyllis training, available on the ISO’s website under Training and Awareness

Sincerely,

Mary Ann Blair
Director of Information Security