Carnegie Mellon University
March 22, 2016

Campus Scam Alerts

Dear Faculty and Staff,

I am writing to alert you to a number of recent -- and, unfortunately, successful -- email phishing scams that have been received by faculty and staff at Carnegie Mellon or by other schools. These scams target Workday users, DropBox users, Blackboard users, and research faculty with the goal of capturing login ids and passwords for various purposes. They impersonate our official email addresses and service providers. The email messages and websites they lead to are sophisticated, look legitimate, and require due diligence in detecting and reporting.

See additional details for each of these scams below.

As April 1 approaches, a day notorious for pranks and scams, please be on increased alert for scams:

  • Avoid clicking on links or opening attachments in unexpected email;
  • Check in with senders to be sure a message is legitimate before taking action;
  • Never send your username and password in response to an email, no matter how urgent sounding;
  • Validate URLs or use known good URLs or bookmarks to navigate to university services;
  • Question unexpected callers before providing requested information.

If you receive suspicious emails, phone calls or other forms of contact, please report as soon as possible to

The ISO will triage the situation and if necessary block campus access to malicious destinations, notify affected parties, and take other actions to contain harmful effects. The sooner you report, the sooner we can protect.

From the entire ISO team, thank you for remaining vigilant, reporting concerns, following procedures, and assisting in our response efforts. We appreciate your partnership in keep CMU's data, systems, and networks secure.

Thank you,

Mary Ann Blair
Director of Information Security
Carnegie Mellon University

More Information


The most recent Workday scam has not been reported at Carnegie Mellon but a number of other schools have received email from "IT Support" telling recipients that Workday was upgraded and that they should log in via a provided (malicious) link in order to ensure access. The link leads to a well-crafted webpage that mimics the university's secure web login and collects the username and password. The username and password is then used to access Workday and change the user's direct deposit instructions.


On March 17, 2016, two different phishing attacks involved invitations to over 4,400 community members to access shared DropBox folders. One came forged as "Carnegie Mellon -" and the other as "Farnam Jahanian". In both cases, the messages were convincing and designed to only steal username and password. Dozens were lured into divulging their usernames and passwords once they clicked. Had the phish been designed to install malware after clicking, dozens more would have been adversely impacted.


Since January 1, there have been nearly 3,500 recipients of Blackboard-related phishing scams.A third of the 20 phishing scams the ISO has dealt with since January have been Blackboard-related. Blackboard is a learning management system (LMS) in use at many universities including CMU. Blackboard phish messages have had subjects such as "You have new course work from your Admin Faculty" and "You have 1 new Faculty message."

Research Faculty

On January 2, 2016, over New Year's weekend ( when folks would not typically be on campus), nearly 400 individuals received an invitation to visit a malicious URL designed to look like a login to The lure in this case began, "I recently read your last article and it was very useful in my field of research. I wonder, if possible, to send me these articles to use in my current research".

Scammers will appeal to whatever angle they feel will be most effective. If it's flattery, they will flatter. If it's worry, they will alarm. If it's an authority figure, they will impersonate. The lesson for us is that they will keep evolving their techniques and we will need to evolve along with them. If you have ideas and suggestions about how we can do a better job, please let me know.