Ongoing UCPath Direct Deposit Phishing Attacks – Stay Alert

May 22, 2025

It's essential for the Berkeley community to stay alert and to watch out for these types of threat actors. Together, we can create a strong defense. 

What you can do right now

Sign up for the UC-provided free identity monitoring through Experian.

How UC is working to protect you

  • Manual verification of direct deposit changes. UC manually verifies all direct deposit changes. This process has saved hundreds of thousands of dollars in employee pay from fraud.
  • Investigation of phishing and fraud reports. UC Berkeley investigates every report of phishing or fraudulent activity involving UC credentials. If you think someone has accessed your UC account without permission, contact security@berkeley.edu right away.
  • Takedown of fraudulent websites. UC monitors fake websites that target our employees. The team works with domain registrars and search engines to take down these sites. So far, they have removed or are in the process of removing 15 fraudulent websites.
  • Ongoing improvements to multi-factor authentication (MFA). We continue to strengthen our use of multi-factor authentication (CalNet 2-Step) to improve account protection and reduce unauthorized access. 

Read the full article from UCNet

May 18, 2025

We are actively investigating a systemwide direct deposit phishing campaign targeting University of California employees, including faculty, staff, and students. Attackers are attempting to reroute UCPath Direct Deposit payments by stealing login credentials.

Our teams are working closely with the UC Office of the President to assess the situation and coordinate campus-wide communication. This page will be updated as new information becomes available. A formal campus-wide message with additional details is being prepared and will be shared soon.

Thank you for your continued partnership and for taking the time to address this important matter.

How the Attacks Are Being Delivered

These are sophisticated, multi-channel attacks using new tactics to trick users:

  • Phishing emails: Messages with varied subject lines are directing users to fake UCPath login pages.

  • Text messages: Some users are receiving SMS messages asking for Duo codes.

  • Imposter websites: The phishing sites closely mimic the real UCPath interface, but use addresses ending in .org, .blog, or .net.

  • Fake sponsored Google Ads: We have seen examples of promos that lead to fake UC Path websites sponsored in Google Ads.

Never Share Duo Push Codes Via Text or Email

Verified Duo codes are only used within the Duo app. Learn how Verified Duo Push works

What You Can Do Right Now

Slow Down and Inspect Messages Carefully

Don’t click links under pressure—when in doubt, report suspicious activity to phishing@berkeley.edu. View examples in the Phish Tank

Bookmark the Official UCPath URL

The official website is ucpath.universityofcalifornia.edu. Fake sites may use lookalike addresses that end in .org, .blog, or .net but look exactly like the real site. 

Add a Personal Email to Your UCPath Profile

This ensures you'll receive communication if your account is changed. How to add a personal email in UCPath

Check Direct Deposit Settings

Review your banking info in UCPath regularly. Attackers are using real routing numbers to avoid detection. Steps to review and update direct deposit info

Report Compromised Accounts

If you receive reports of suspicious accounts or Duo activity or think you have been compromised, send an email to security@berkeley.edu.