Colleagues,
New safeguards have been added to help protect the campus community from phishing attacks that could result in unauthorized access to employees’ UCPath accounts and paycheck information.
Campus IT officials are leveraging new capabilities from the Duo Mobile multi-factor authentication application. While using the Duo Push function (clicking the green check mark) remains the safest option, using Duo mobile passcodes is another option and is the one we are strengthening. Effective Monday, July 22, CalNet will implement time-based, one-time passcodes, replacing persistent passcodes with ones that expire 30 seconds from the time of the request. This is to prevent attackers from storing and using passcodes to compromise accounts. If you encounter trouble with Duo, please open a service ticket by emailing: calnet2-stephelp@berkeley.edu.
This action follows eight incidents in the last two months in which cyber criminals used phishing schemes to gain employee CalNet credentials and access UCPath, where they redirected the employee’s direct deposit paycheck to a banking application the hacker could access.
In addition to the Duo change noted above, campus IT officials are also working with UC systemwide officials to help further secure UCPath. To help protect yourself from this current threat, please consider taking the following actions:
- Add a personal email. Add a personal (non-campus) email to your UCPath account so the UCPath Center can contact you about any unusual activity. Use your CalNet credentials to log into UCPath, go to Employee Actions > Personal Information > Personal Information Summary > Email Addresses. View instructions for adding your personal email in UCPath.
- Check direct deposit. Check the direct deposit information in your UCPath account to ensure accuracy. While logged into UCPath, go to Employee Actions > Income and Taxes > Direct Deposit. Follow these steps for updating direct deposit details.
- Be alert to phishing. In this recent case, the criminals sent an email with an urgent request that directed users to a website that looked very similar to the CalNet login page but requested a Duo passcode be entered. We always recommend checking the sender’s email address as emails can be spoofed. You can do this by floating your cursor over the address to make sure it is legitimate. In addition, do not click on links or download documents within any email that you did not expect, and never fill out any unsolicited forms that ask for your personal or financial information. When in doubt, confirm with the sender using known contact information or report it as a potential phishing attack.
- Watch out for Duo 2-Step tricks. When criminals log in with stolen usernames and passwords, a Duo request is sent. Because many of us are accustomed to receiving these requests, you might inadvertently accept the request, or the criminals may send multiple Duo requests to create a sense of urgency. Another tactic is requesting “Duo passcodes” – remember that a Duo Push is always safest. If any Duo requests look unusual, report the activity to the Information Security Office, and follow best practices to keep your Duo activity safe.
- Access training. As always, it’s important to stay up to date on your annual cyber security training. View tips on what you can do to avoid phishing plus other scams and bookmark the Phish Tank so you can see examples of some of the latest attacks.
Under campus policy, employees who are victims of such schemes as the UC Path situation are directed to file a police report to launch a process to recover their missed pay. As we have stated in other recent CalMessages, cyber attacks in higher education are growing at an alarming rate, with higher education institutions across the country facing sophisticated attacks that target our most sensitive systems and data.
Thank you for your attention to this matter and your partnership in our efforts to thwart cyber threats.
Sincerely,
Tracy Shinn
Associate Vice Chancellor for IT and Chief Information Officer
This message was sent to all UC Berkeley faculty and staff. If you are a manager who supervises UC Berkeley employees without email access, please circulate this information to all.