Information Security Services has learned of a large-scale campaign to compromise WSU email accounts through social engineering.
Within the last week, attackers have engaged in a campaign of impersonating WSU information technology staff while contacting faculty, staff, and students via email and text messages asking to validate accounts and threatening to deactivate WSU accounts otherwise.
Those who fall for the ruse are directed to a fake login page where their username and password is stolen, and the attackers then request the Multi-Factor Authentication (MFA) code in order to bypass that secondary layer of security protection.
Under no circumstances should anyone disclose usernames, passwords, or MFA authentication codes to anyone requesting them via email or text message. WSU information technology services does not “check for active accounts” by emailing or texting account owners, and will never need your MFA authentication for it.
If you are contacted by anyone asking you to verify your WSU account by logging in, providing your Multi-Factor Authentication code, or both, do not engage with these individuals, report the incident to information security services at abuse@wsu.edu.