Don’t Take the Bait: Protect Yourself from Phishing Scams

January 7, 2016

Dear Campus Community,
fish icon

I suspect most of us now appreciate what a challenge it is to protect our personal and University sensitive data from compromise. At UC Berkeley, like other universities across the country, phishing attacks and stolen credentials remain the top threats to our individual and institutional online security.

As we get ready to kickoff spring semester, we feel it is important for you to take a moment to inform yourself in order to protect your online identity and data.

Don’t take the bait: keep an eye out for the phish!

Anti-Phish Tip The Trap Your Defense
Never send your password in email You receive an urgent email that appears to be from CSS IT asking you to reply with your password because your account is "compromised" or "over quota" or "suspended due to inactivity." Decline requests to send CalNet ID or passphrase info, bank account, Social Security, or driver's license numbers, health information, or health insurance information via email.
Don't click unexpected links You receive an unexpected email that claims to be from the "Help Desk" or someone you know. It says it's urgent. You must click a link to prevent problems with your account. Be skeptical of any email that you aren't expecting. Password thieves may insist that immediate action is necessary and may pretend to be your friend or some other trusted entity. Don't let these tactics trick you, it is very likely a scam.
Look out for deceptive links You receive an email telling you to "click here" to verify your account. Hover over the link (don't click!), or for a touch screen, press and hold the link (don't tap!) to reveal the actual URL (look in the bottom left corner of the browser window). Don't click on a link unless it goes to a URL you trust. While less convenient, the safest alternative is to type the website address yourself in your web browser.
Before Entering CalNet Credentials Verify https://auth.berkeley.edu You are asked to enter your CalNet passphrase on what looks like the standard CalNet Authentication page.

Trusted UCB authentication pages will never have anything phishy before the first single slash. Fraudulent login screens designed to steal your credentials may look authentic if you're not paying attention to the URL:

Good Example - Secure URL address for CalNet:  
//auth.berkeley.edu/cas/login?service

Bad Example - Do Not Enter Your Credentials:
//auth.berrkeley.webs.com/cas/login?service

Ultimately, if you’re not sure if it's a phish, forward the message to consult@berkeley.edu. Remember, Cyber Security is not just IT’s responsibility; it is everyone's responsibility. The more informed you are, the better you can protect yourself and sensitive campus data.

Phishing Resources

Regards,

Larry Conrad, Associate Vice Chancellor for IT and Chief Information Officer
Paul Rivers, Chief Information Security Officer