Vishing is the act of attempting to steal sensitive information (like passwords, credit card numbers, or login IDs) over the phone. Scammers often use sophisticated tactics to impersonate trusted sources, such as university IT staff, to convince you to hand over your credentials.

How to Protect Yourself:

1. Never provide your password, PIN, or multi-factor authentication codes over the phone.

2. If a caller asks for your login credentials, hang up and call the UTS Service Desk line directly to verify the request.

3. How to Report a Vishing Attempt:  If you believe you have been targeted by a Vishing attack, contact the UTS Service Desk immediately at x24357 or uts@mcmaster.ca by email. Do not engage with the caller.

How MFA Works for Your McMaster Phone Login

To keep your Office 365 account secure, Multi-Factor Authentication (MFA) is now required. MFA adds a second layer of protection by asking you to verify your identity using something you have — like your office phone.

How it works with your extension:
If you’ve set your office phone extension as your MFA method, you’ll receive a voice call to your desk phone or softphone when signing in. Simply answer the call and follow the prompt to approve the login.
What to expect:

• You’ll be prompted to set up MFA the next time you sign in.
• Choose “Phone call” as your second factor and enter your office extension number.
• When logging in, you’ll get a call to your extension — press the key to confirm and you’re in.

How to Set it Up

Step 1: Access the Security Info Page

• Open your web browser and navigate to the Microsoft Security Info page: https://aka.ms/mfasetup
• Sign in with your McMaster MacID (e.g., MacID@mcmaster.ca) and password.
• If this is your first time setting up MFA, you may be automatically taken to the setup screen. If not, click on Security info in the left-hand navigation pane.

Step 2: Add the “Phone” Method

• On the Security info page, click the + Add sign-in method button.
• In the dropdown menu, select Phone and click Add.

Step 3: Enter Your Campus Phone Number

• On the Phone configuration page, For Country or region, select Canada (+1) 9055259140
• Select the radio button for Call me.
• You will then add the extension, which usually goes in the same field or an adjacent one, or is sometimes appended to the end of the phone number.

Step 4: Verify the Number

• Click Next.
• Microsoft will now initiate an automated phone call to the number you provided.
• Answer your McMaster desk phone immediately.
• You will hear an automated voice prompt from Microsoft asking you to press the pound key (#) to approve the sign-in.
• Press the # key on your desk phone’s keypad.

Step 5: Complete the Setup

• Once you press the pound key, the phone call should confirm that your sign-in was successful.
• On your computer screen, the setup should show “Call answered. Your phone was registered successfully.”
• Click Done.

Your McMaster extension is now registered as a verification option! When you sign in to a new Microsoft 365 service, you can select the “Phone – call” option to receive a verification call at your desk and or softphone application.

Voicemail to Email Phishing (VTE)

Voicemail to email is a system feature that records a voicemail as an audio file and sends it to an email address. The recipient is then able to download the file right from their email and play it using a media player on their smartphone or PC.

A new phishing scam uses voicemail notification emails to spread malware. Do not click to listen to “voicemails” or to open any other files from people that you do not recognize.  Phishing is a technique used by criminals in which they send you an email message and ask you to click on a link to visit a website.

LEGITIMATE MCMASTER VOICEMAIL TO EMAIL:

VOICEMAIL to EMAIL is a feature on your McMaster extension. A WAV file is attached to your email containing the voice message. Legitimate messages will generally have:
• McMaster’s AAM messaging system displayed as “@vce20aamsto.uts.mcmaster.ca”
• An email subject with this format: Voice Message from xxxxxxxxxx / “NAME OF CALLER”
• The messaging access number 22993, caller information, duration, and WAV file in the body of the email