Important cybersecurity alert: Rising phishing attacks

November 18, 2025
Gaspare LoDuca, Vice President for Information Systems and Technology and Chief Information Officer |

Dear members of the MIT community,

I write to urge all members of the MIT community to take extra care when reviewing email, texts, and login requests. In recent weeks, information systems at several peer institutions have been compromised through cybersecurity attacks. These incidents underscore the urgency of staying vigilant against continuously evolving cyberthreats such as phishing and social engineering scams.

Please remember to take the following steps to protect yourself and the Institute:

  • Be cautious with unexpected messages. Phishing emails or texts may appear to come from someone you know, from MIT, or even from IS&T. If something seems suspicious, contact the sender directly through another method (such as phone or Slack) before responding or clicking anything. Suspicious messages should be reported to the IS&T Security team’s Phishing Reporting System (must be on VPN to access).
  • Never approve Duo requests you didn’t initiate. A Duo push or call you did not request means your password has been compromised. Change it immediately and notify the IS&T Information Security team.
  • Always check the location in Duo push requests. When you receive a Duo push notification, it shows where you were located when you attempted to log in. Always check that it matches where you actually are. Some attacks use fake Touchstone login pages to trick you into approving their Duo request. Never approve a request that doesn’t match your true location.
  • Be wary of links and QR codes. Messages urging you to “keep your account open,” “retrieve quarantined emails,” or sign in via a link/QR code are common phishing tactics. Type known addresses directly into your browser instead of clicking links. Attackers often use convincing fake Microsoft 365 login pages – sometimes even with a CAPTCHA – to steal credentials.
  • Report suspicious emails. If your mailbox is in Microsoft 365, use the Phish Alert Button (must be on VPN to access), which is built in for easy reporting. Otherwise, forward the message as an attachment to phishing@mit.edu.
  • Practice spotting phishing. Join the Moira list (must be on VPN to access) “phishing-simulations” to receive periodic simulated phishing messages. If you interact with a simulated phishing message, you will be redirected to information about how to spot similar phishing messages in the future.

Your vigilance is essential to protecting yourself and MIT. For help or to report concerns, contact the IS&T Information Security team at security@mit.edu.

Sincerely,

Gaspare LoDuca
Vice President, Information Systems & Technology, and Chief Information Officer

Massachusetts Institute of Technology 
77 Massachusetts Ave
Cambridge, MA 02139

This website is maintained by the Institute Office of Communications. Please contact us at communications@mit.edu.