Prevent hackers from stealing your passcode

Sam Foster
Wednesday 17 August 2022

Multi-factor authentication has been used at the University since 2019. It safeguards our staff and students against cyber criminals gaining access to their accounts through phishing attempts, password spraying, and password guessing. Having a second factor on your account that only you have access to means that your account is protected – even if a hacker knows your password.

Since the rapid move to digital over the last few years, multi-factor authentication has been widely adopted across many organisations with great success. However, alongside this new norm, cyber criminals have evolved their tactics and started to target organisations in a new way by mimicking their multi-factor authentication pages.

How does multi-factor authentication fraud work?

When you log into a University service, you’ll be prompted to authenticate a second time using your Duo or Microsoft authenticator. 

Hackers can use this knowledge to tailor phishing emails to the University. This means the email either:

  • asks you to update a password or settings within a University service and contains a link taking you to the fake multi-factor authentication portal.
  • claims to be from IT and ask you directly for your passcode to try and lure you into divulging your second factor.

IT Services will never ask you for your passcode. By giving away these details, an attacker could bypass your second factor. 

What actions can we take to prevent this?

IT security experts recognise that multi-factor authentication is still the best practice. It’s significantly more secure than relying on a password alone. Our best line of defence against this new threat is you – staff and students – learning how to spot a phishing multi-factor authentication page and reporting it immediately.

We’ve created a graphic to help you identify these kinds of pages. Feel free to share this with colleagues and classmates, or invite one of our IT security team to one of your meetings to discuss the threat in more depth.


Microsoft Authenticator:

If the multi-factor authentication page displayed does not contain indicators personal to you (such as the last three digits of your mobile number or your email address), report it to the IT Service Desk immediately.

Only approve push notifications initiated by you. Any others should be denied and reported to IT Services by email. If denying a push notification, you’ll be asked whether you’d like to report this within the app.

If you’re unsure, please forward the email to [email protected] or contact the IT Service Desk.

Share this story

Subscribe to the IT Services blog

Enter your email address to subscribe to this blog to receive notifications of new posts.