Phishing Attacks Targeting Direct Deposit in UCPath

To our campus community, 

Heads up! There is another phishing campaign targeting the payroll payments of University of California employees, including faculty, staff, and students. Attackers are attempting to reroute UCPath Direct Deposit payments by stealing login credentials. 

How Attacks Are Delivered

These attacks are sophisticated and use both old and new tactics:

• Phishing emails. Subject lines can vary, but the goal is to get people to click on a fake UCPath website link to enter their credentials. Then, attackers use that login info to reroute direct deposit payments. View examples of fraudulent messages in the Phish Tank. 
• Text messages. Some attacks are delivered as direct text messages to users asking for DUO login codes.
• Imposter webpages and Google Ads. We have seen examples of extremely authentic-looking fake UCPath pages sent in phishing emails and sponsored in Google Ads.

What You Can Do

• Never send or receive a Verified Duo Push Code outside of the app. Verified Duo Push Codes are presented on screen and only go into the application. Review instructions on how Verified DUO Push works 
• Bookmark the official UCPath site: ucpath.universityofcalifornia.edu. Imposter site URLs contained addresses ending in .org, .blog, or .net, but looked exactly like the real site. 
• Check your recovery email address. Adding a personal (non-UC Berkeley) email to your UCPath account is vital so you can be notified about any activity. View instructions for adding your personal email in UC Path.
• Review direct deposit settings. Check the routing information for your UCPath account. These new attacks are using routing numbers for major banks to avoid detection better. Follow these steps for updating direct deposit details.
• Slow down and review emails. Don’t be pressured into clicking a link in a rush. Learn what to look out for to avoid taking the bait.

Report Suspicious Activity Immediately

If you receive reports of Duo activity or think you have been compromised, send an email to security@berkeley.edu. 

Our teams are working closely with the UC Office of the President to assess the scope of the attack. We will update the UCPath Phishing Attack webpage with new information as it becomes available.

Thank you for your continued attention to keeping UC data and systems safe!

Tracy Shinn
Associate Vice Chancellor for IT and Chief Information Officer

Allison Henry
Chief Information Security Officer 

This message was sent campus-wide to all student employees, staff, and faculty. If you are a manager who supervises UC Berkeley employees without email access, please circulate this information to all.