Information Services warns of email phishing attack

Phishing email

Beware of this email: “Unable to display this message? Click here to open this message.”

If you haven't clicked, don't. And delete the email. If you have clicked, change your Duck ID password right away.

That's the word from University of Oregon Information Services in a Sept. 6 UO Alert and message on DuckWeb. The prompt went to UO students and employees who over the past two weeks likely received a phishing email trying to trick users into giving up account passwords.

"This seems to be happening at several different universities," UO Chief Information Security Officer Leo Howell said. "In our field, we typically see attacks happen around the start of an academic year. What's important for our community to know is the steps to take in this situation and how to defend themselves in the future."

The phishing emails may have different subject lines, but all of them include tempting links to "click here to open this message," or a similar variant. They are made more tempting because the messages come from legitimate UO email accounts that have been compromised, and the subject lines can be pulled from actual message threads in compromised accounts.

The UO's information security office has determined that, as expected, phishers are trying to collect account information, which can be used to lure others into providing sensitive information.

People who clicked through such an email should go to Duck ID Self-Service to change their Duck ID passwords and revise security questions and answers. They should also notify the UO information security office by email at

Those who didn't click through the email should just delete it, if they haven't already. Information Services is also working to delete those phishing emails from the inboxes of students and employees.

Howell indicated that updates about the phishing attack would be posted on DuckWeb as needed. Students, faculty and staff can log in to DuckWeb to view the current message.

Generally, everyone should be suspicious of any emails that look unusual or ask for any sensitive information, especially passwords. If in doubt, people should contact the Information Services Technology Service Desk at 541-346-HELP or forward suspicious email to The Technology Service Desk is in Prince Lucien Campbell Hall.

Separately from this incident, the federal student aid office sent out a national message recently warning of a different kind of phishing attempt, this one to compromise student financial accounts.