Colleagues,
New safeguards have been added to help protect the campus community from phishing attacks that could result in unauthorized access to employees’ UCPath accounts and paycheck information.
Campus IT officials are leveraging new capabilities from the Duo Mobile multi-factor authentication application. While using the Duo Push function (clicking the green check mark) remains the safest option, using Duo mobile passcodes(link is external) is another option and is the one we are strengthening. Effective Monday, July 22, CalNet will implement time-based, one-time passcodes, replacing persistent passcodes with ones that expire 30 seconds from the time of the request. This is to prevent attackers from storing and using passcodes to compromise accounts. If you encounter trouble with Duo, please open a service ticket by emailing: calnet2-stephelp@berkeley.edu(link sends e-mail).
This action follows eight incidents in the last two months in which cyber criminals used phishing schemes to gain employee CalNet credentials and access UCPath, where they redirected the employee’s direct deposit paycheck to a banking application the hacker could access.
In addition to the Duo change noted above, campus IT officials are also working with UC systemwide officials to help further secure UCPath. To help protect yourself from this current threat, please consider taking the following actions:
- Add a personal email. Add a personal (non-campus) email to your UCPath account so the UCPath Center can contact you about any unusual activity. Use your CalNet credentials to log into UCPath(link is external), go to Employee Actions > Personal Information > Personal Information Summary > Email Addresses. View instructions for adding your personal email in UCPath(link is external).
- Check direct deposit. Check the direct deposit information in your UCPath account to ensure accuracy. While logged into UCPath, go to Employee Actions > Income and Taxes > Direct Deposit. Follow these steps for updating direct deposit details(link is external).
- Be alert to phishing. In this recent case, the criminals sent an email with an urgent request that directed users to a website that looked very similar to the CalNet login page but requested a Duo passcode be entered. We always recommend checking the sender’s email address as emails can be spoofed. You can do this by floating your cursor over the address to make sure it is legitimate. In addition, do not click on links or download documents within any email that you did not expect, and never fill out any unsolicited forms that ask for your personal or financial information. When in doubt, confirm with the sender using known contact information or report it as a potential phishing attack(link is external).
- Watch out for Duo 2-Step tricks. When criminals log in with stolen usernames and passwords, a Duo request is sent. Because many of us are accustomed to receiving these requests, you might inadvertently accept the request, or the criminals may send multiple Duo requests to create a sense of urgency. Another tactic is requesting “Duo passcodes” – remember that a Duo Push is always safest. If any Duo requests look unusual, report the activity to the Information Security Office(link sends e-mail), and follow best practices to keep your Duo activity safe(link is external).
- Access training. As always, it’s important to stay up to date on your annual cyber security training(link is external). View tips on what you can do to avoid phishing(link is external) plus other scams and bookmark the Phish Tank(link is external) so you can see examples of some of the latest attacks.
Under campus policy, employees who are victims of such schemes as the UC Path situation are directed to file a police report to launch a process to recover their missed pay. As we have stated in other recent CalMessages, cyber attacks in higher education are growing at an alarming rate, with higher education institutions across the country facing sophisticated attacks that target our most sensitive systems and data.
Thank you for your attention to this matter and your partnership in our efforts to thwart cyber threats.
Sincerely,
Tracy Shinn
Associate Vice Chancellor for IT and Chief Information Officer
This message was sent to all UC Berkeley faculty and staff. If you are a manager who supervises UC Berkeley employees without email access, please circulate this information to all.