We are actively investigating a systemwide direct deposit phishing campaign targeting University of California employees, including faculty, staff, and students. Attackers are attempting to reroute UCPath Direct Deposit payments by stealing login credentials.
Our teams are working closely with the UC Office of the President to assess the situation and coordinate campus-wide communication. This page will be updated as new information becomes available. A formal campus-wide message with additional details is being prepared and will be shared soon.
Thank you for your continued partnership and for taking the time to address this important matter.
How the Attacks Are Being Delivered
These are sophisticated, multi-channel attacks using new tactics to trick users:
-
Phishing emails: Messages with varied subject lines are directing users to fake UCPath login pages.
-
Text messages: Some users are receiving SMS messages asking for Duo codes.
-
Imposter websites: The phishing sites closely mimic the real UCPath interface, but use addresses ending in .org, .blog, or .net.
-
Fake sponsored Google Ads: We have seen examples of promos that lead to fake UC Path websites sponsored in Google Ads.
Never Share Duo Push Codes Via Text or Email
Verified Duo codes are only used within the Duo app. Learn how Verified Duo Push works
What You Can Do Right Now
Slow Down and Inspect Messages Carefully
Don’t click links under pressure—when in doubt, report suspicious activity to phishing@berkeley.edu. View examples in the Phish Tank
Bookmark the Official UCPath URL
The official website is ucpath.universityofcalifornia.edu. Fake sites may use lookalike addresses that end in .org, .blog, or .net but look exactly like the real site.
Add a Personal Email to Your UCPath Profile
This ensures you'll receive communication if your account is changed. How to add a personal email in UCPath
Check Direct Deposit Settings
Review your banking info in UCPath regularly. Attackers are using real routing numbers to avoid detection. Steps to review and update direct deposit info
Report Compromised Accounts
If you receive reports of suspicious accounts or Duo activity or think you have been compromised, send an email to security@berkeley.edu.