What do I do if I receive a Duo Push when I’m not logging into any UMBC applications?

Even after someone is able to steal your UMBC username and password, they still need to get through Duo’s two-step verification. For this reason, it's important to make sure you don’t accept unauthorized Duo Push notifications.

A bad actor that has obtained a user’s credentials will often send multiple push requests to the user hoping they will accept one of the pushes out of habit, or out of annoyance.

If you receive a Duo push while you are not attempting to log into any UMBC applications, it is likely a bad actor has stolen your credentials and is trying to gain access to your account. If you receive a suspicious Duo push: 

  1. deny the push

  2. select “yes” on the following pop-up to report the suspicious login

  3. Change your UMBC password. Instructions on how to do this can be found here:
    How do I change my myUMBC password?

 

Reporting the suspicious Duo push will send a report to DOIT’s Security group who will work with you to secure your account.

NOTE: Reporting will not stop the bad actor from sending Duo pushes. Your Duo app will be muted and will not send notifications for 20 minutes. By changing your password, further Duo push attempts from attackers should stop. 

If you accidentally accept a suspicious Duo push, contact security@umbc.edu immediately.