The Information Security team has identified a new phishing scam circulating among the York University community on September 10th, 2025. The email was sent from a compromised external email address using the subject line "Osgoode //Message ID:[#]..." AND "Yorku - //Supplies sign request Document Message ID:[#]" and was observed to be targeting York credentials. The email purports to be a fake document review request from DocuSign and prompts recipients to submit their credentials into a fake login page. A picture of the phishing email is shown below:
The email described above is NOT legitimate and was NOT sent by York University. If you entered your Passport York (or another account’s) credentials into a fake login page you may have been redirected to from the malicious attachment, please change your password immediately. If you have re-used the compromised password on any other accounts, please change the passwords for those accounts to something complex and unique to each account. Passport York passwords can be changed at https://mms.yorku.ca, logging in, clicking on “Passport YORK” on the left-hand menu and clicking the “Change My Password” button on the right.
Red Flags to Watch Out For:
- Suspicious sender email: The sender's email address is randomly generated and not associated with York University’s official IT services.
- Request for personal details: York University would NEVER ask for passwords, Duo/MFA passcodes, or other sensitive information via email.
What to Do:
- Do not respond to this email or provide any personal information.
- Do not click any links or open attachments that may be included.
- Report the email: If you received this phishing attempt, please report it using the Report Phishing button or forward it to phishing@yorku.ca