We want to bring to your attention a phishing campaign that is targeting students. Notably, threat actors are using a variety of tactics, including impersonating campus IT staff. Unfortunately, some vulnerable students have been deceived into sharing their MFA codes, resulting in their accounts being compromised. These compromised accounts are then used to send out additional phishing emails, and, in some cases, students have had their bank information fraudulently changed in CUNYfirst.
No one at CUNY will ever legitimately request an MFA code, and no one must ever approve or respond to an unexpected MFA prompt they did not initiate.
Anyone receiving a request for this information should treat it as a potential scam. If you receive a suspicious message requesting an MFA code or other sensitive information, please contact the IT HelpDesk at 718.982.HELP (4357) immediately. Additionally, you should never click any links or open attachments in unsolicited email messages.
By the Office of Technology Services
