Frequently Asked Questions - Phishing

What is Phishing?

Phishing is a type of attack carried out in order to steal usernames, passwords, credit card information, Social Security Numbers, and other sensitive data by masquerading as a trustworthy entity. Phishing is most often seen on campus in the form of malicious emails pretending to be from credible sources such as UC Berkeley technology departments or financial organizations related to the university.

By tricking campus users into giving away their information, attackers can:

  • Steal money from victims (modify direct deposit information, drain bank accounts)
  • Perform identity theft (run up charges on credit cards, open new accounts)
  • Send spam from compromised email accounts
  • Use your credentials to access other campus systems, attack other systems, steal confidential University data, and jeopardize the mission of the campus

The goal of most Phishing emails is to trick you into visiting a web site in order to steal your CalNet credentials. Attackers will setup web sites under their control that look and feel like legitimate web sites. Often the Phishing emails will have an immediate call to action that demand you to "update your account information" or "login to confirm ownership of your account". If you enter your CalNet credentials into these illegitimate web sites you are actually sending your CalNet username and password directly to the attackers.

What can I do to avoid Phishing attacks?

Click and review these 5 essential Anti-Phishing tips to avoid being "Phished":

  1. Passwords in Email = Epic Fail. Never send your passwords in email!
  2. If you didn't expect it, reject it. Don't click unexpected links!
  3. Hover to Discover. Look out for deceptive links!
  4. Check for Trash Before the Slash. Verify "https://auth.berkeley.edu/" in your browser bar before entering CalNet credentials!
  5. Is it a Phish? Drop us a line. 

Additionally:

  • If you are worried about an account, call the organization which maintains it (like your bank).
  • Check the email address—does it really match the text of the email? Does it match the legitimate email of the organization it is supposed to be tied to?
  • Check the security certificate of any website into which you are entering sensitive data. They should usually begin with https:// Some browsers will display padlock symbols in the address and status bars. Anything on a website saying it is safe can be falsified and is not verified by the browser you are using, and so shouldn’t be trusted.
  • Keep your software current.
  • Install antivirus software.
How can I identify a Phishing scam?

The first rule to remember:  Never give out any personal information in email.  No institution, bank or otherwise, will ever ask for this information via email.  It may not always be easy to tell whether an email or website is legitimate, but there are many tools to help find out.

  • In the body of an email, you might see questions asking you to “verify” or “update your account” or “failure to update your records will result in account suspension.” It is usually safe to assume that no credible organization to which you have provided your information will ever ask you to re-enter it, so do not fall for this trap.
  • Any email that asks for your personal or sensitive information should be seriously scoured and not trusted. Even if the email has official logos or text or even links to a legitimate website, it could easily be fraudulent. Never give out your personal information.
Why is understanding the risk of Phishing important?

Phishing attacks are an ongoing threat to campus and are becoming increasingly sophisticated. Successful Phishing attacks can cause financial loss for victims and put their personal information at risk. 

Each individual on campus is responsible for protecting their own CalNet credentials. Please take a moment to review the following tips on recognizing Phishing emails:
How would I know if my CalNet credentials were compromised?
You may not always know. Scams and malware that steal passwords are designed to be stealthy and unnoticed.
 
Passwords are most frequently compromised one of three ways:
  • Being tricked to giving up your credentials at a real-looking but scam website (AKA Phishing)
  • Malware or other compromise of your device which installs software designed to run in the background and steal passphrases
  • Re-using CalNet credentials for non-UCB websites, and the non-UCB websites are hacked and all credentials exposed

However, a couple tell-tale signs of credential compromise are:

  • Your colleagues and friends have received unexpected messages from your email account (spam or additional Phishing emails)
  • You suddenly cannot login with your CalNet credentials because an attacker has changed your passphrase
The best defense addresses all three main threats:
  • Know how to evaluate whether websites asking for your passphrase are legitimate. When in doubt, ask by sending an email to consult@berkeley.edu or CSS-IT Service Desk at 510-664-9000
  • Only use devices which are rigorously maintained. Rigorously maintained means patches for all software is installed as the patches become available, that the browsers are configured for maximum security, and the device otherwise meets the campus Minimum Security Standards for Networked Devices.
  • Do not reuse your CalNet passphrase for other websites

If in doubt regarding the security of your CalNet account, change your CalNet passphrase!

When changing your CalNet passphrase, be sure to do so from a machine you believe is not infected by malware or otherwise compromised. Anti-malware and anti-virus scans should result in a "clean" report (no infections) for the machine you intend to use to change your CalNet passphrase from.

Note: Information Security and Policy is sometimes informed when passwords associated with UC Berkeley accounts are exposed in public forums or discovered during breach investigations. In these cases, we may test the exposed passwords to see if they are valid CalNet passphrase. If the passphrase is validated, it will be scrambled immediately and the account deactivated until the account owner is contacted to create a new passphrase. This testing is done only for validation purposes and is not used for access to the account holder's email or other electronic services.

Please see Why did I get a Credential Exposure notice and what should I do? for information on what to do if you receive an ISP Security notification for exposure of your account credentials.

Who do I contact if I think my CalNet credentials were compromised?

If you believe your CalNet credentials have been compromised, you must reset your CalNet passphrase immediately.

STUDENTS:

FACULTY, STAFF, AFFILIATES, AND GUESTS:

What if my personal email account, bank account, or other accounts were compromised?
  • Immediately change your passwords for any potentially compromised accounts
  • Contact your bank or financial advisor to let them know your accounts may be compromised and ask them to put a fraud alert on your accounts
  • Check your bank and financial statements and credit reports to regularly to identify any false charges or suspicious activity
  • If you believe you are a victim of identity theft, please see the Federal Trade Commission's Immediate Steps to Repair Identity Theft.
How do I report a Phishing or suspicious email?

If you receive an email you are not sure about, forward the suspicious email -- don't reply -- to consult@berkeley.edu or call the CSS-IT Service Desk at 510-664-9000. The email can be blocked from the campus system to prevent others from falling victim to the Phishing attack.

What is the university doing to strengthen authentication requirements like requiring more than just a username and password to get into applications with sensitive data?
The University has recently introduced "multifactor authentication" on campus  -- "multifactor" or "two-factor" authentication solutions require the account-holder to provide a secondary credential during the login process, usually a device-generated token, in addition to their account passphrase.

CalNet 2-Step is the campus two-factor (2FA) solution, mandatory for all faculty and staff as of early 2018.  With CalNet 2-Step, after entering a CalNet ID and passphrase, the account-holder will be prompted for a second step using a verification device, such as a smartphone.

Visit the CalNet website to learn more about the 2-Step program:  https://calnetweb.berkeley.edu/calnet-2-step (link is external)
Do I only need to worry about Phishing attacks via email?

No.  Phishing attacks can also occur through phone calls, texts, instant messaging, or malware on your computer which can track how you use your computer and send valuable information to identity thieves. It is important to be viligant at all times and remain suspicious of sources that ask for your credentials and other personal information.

How can I help raise awareness about Phishing?

The Anti-Phishing Resource Materials page contains helpful Anti-Phishing posters and flyers. You are encouraged to print, hang, and distribute these materials on campus.

Where can I learn more about avoiding Phishing scams?