Bulletin Board
This is restricted access content. Please don’t forget to logout if you are using public computer.

Unexpected Duo Prompt? Stop—It Could Be Phishing

Posted: March 25, 2026
“Illustration showing a phishing email being blocked and a Duo login request denied to represent account security.”

Approving the wrong Duo request or responding to a suspicious text can give attackers access to your Tufts account. Learn what to watch for, what never to do, and how to get help fast if something seems off.

How to Protect Yourself from Phishing at Tufts

Phishing attempts continue to target members of the Tufts community, and they are becoming increasingly sophisticated. Many of these messages are designed to look legitimate and may use familiar tools—like Google Forms or text messages—to trick you into sharing sensitive information.

Understanding how these attacks work and knowing what not to do is the best way to protect your account.

How These Phishing Attacks Work

Recent phishing attempts have followed a common pattern:

  • You receive an email with a link to a Google Form that appears to be from a trusted source.
  • The form asks for login credentials, personal information, or phone numbers.
  • If the form is submitted, the attacker may follow up with a text message asking for a Duo verification code.
  • If the Duo request is approved, the attacker can access the account and send phishing messages from it.
  • Once an account is compromised, it can be used to target others across the Tufts community.

What You Should Do to Stay Safe

The steps below are the most effective ways to protect yourself from phishing and account compromise.

Never approve a Duo request you didn’t initiate

If you receive a Duo push notification and you are not actively logging in, deny the request immediately. Approving an unexpected Duo prompt gives an attacker access to your account.

Be suspicious of account-related text messages

Tufts Technology Services (TTS) will not contact you via text message to ask you to verify, secure, or restore your account. Any text message claiming to be from TTS that asks you to take action should be treated as suspicious.

Never enter a Duo code sent to you by someone else 

No one at Tufts—including TTS—will send you a Duo code and ask you to enter it. Sharing a code allows an attacker to bypass account protections.

If You Think You May Have Been Phished

If you believe you may have:

  • Clicked a suspicious link
  • Entered information into a phishing form
  • Approved a Duo request by mistake
  • Contact TTS immediately so they can help secure your account. Call 617‑627‑3376 as soon as possible.

Stay Vigilant

Phishing relies on urgency and trust. Taking a moment to pause, question unexpected messages, and follow these guidelines helps protect not only your account, but the entire Tufts community.