Information Security Services has learned of a large-scale campaign to compromise WSU email accounts through social engineering. Within the last week, attackers have engaged in a campaign of impersonating WSU information technology staff while contacting faculty, staff, and students via email and text messages asking to validate accounts and threatening to deactivate WSU accounts otherwise.
Those who fall for the ruse are directed to a fake login page where their username and password is stolen, and the attackers then request the Multi-Factor Authentication (MFA) code to bypass that secondary layer of security protection.
Under no circumstances should anyone disclose usernames, passwords, or MFA codes to anyone requesting them via email or text message. WSU Information Technology Services (ITS) does not “check for active accounts” by emailing or texting account owners, and will never need your MFA for it.
If you are contacted by anyone asking you to verify your WSU account by logging in, providing your MFA code, or both, do not engage with these individuals. Report the incident immediately to abuse@wsu.edu.
