Frequently Asked Questions - Phishing

Phishing answers

What is Phishing?

Phishing is a type of attack carried out in order to steal information or money. Phishing attacks can occur through email, phone calls, texts, instant messaging, or social media. Attackers are after your personal information: usernames, passwords, credit card information, Social Security numbers. However, they are also after intellectual property, research data, and institutional informationPhishing scams can have several goals, including:

  • Stealing from victims - modifying direct deposit information, draining bank accounts.
  • Performing identity theft - running up charges on credit cards, opening new accounts.
  • Purchasing items - buying gift cards, tricking victims into working on their behalf.
  • Getting victims to act - clicking on malicious links, installing malware on their devices.
How can I identify a Phishing scam?

The first rule to remember is to never give out any personal information in an email.  No institution, bank or otherwise, will ever ask for this information via email.  It may not always be easy to tell whether an email or website is legitimate and phishing emails are using social engineering tactics to make create sophisticated scams.

  • In the body of an email, you might see questions asking you to “verify” or “update your account” or “failure to update your records will result in account suspension.” It is usually safe to assume that no credible organization to which you have provided your information will ever ask you to re-enter it, so do not fall for this trap.
  • Any email that asks for your personal or sensitive information should be seriously scoured and not trusted. Even if the email has official logos or text or even links to a legitimate website, it could easily be fraudulent. Never give out your personal information.
Why is understanding the risk of Phishing important?

Phishing attacks are a constant threat to campus and are becoming increasingly sophisticated. Successful Phishing attacks can:

  • Cause financial loss for victims
  • Put their personal information at risk
  • Put university data and systems at risk
All workforce members are responsible for protecting institutional data and complying with information security obligations stated in UC policy, laws, governmental regulations, contracts, external obligations, and grants.
What can I do to avoid Phishing attacks?

We encourage the UC Berkeley community to take an active role in protecting themselves against phishing attacks. Use our helpful tips in our Fight the Phish campaign to recognize and report phishing attacks.

Additionally:

  • If you are worried about an account, call the organization which maintains it (like your bank)
  • Check the email address—does it really match the text of the email? Does it match the legitimate email of the organization it is supposed to be tied to?
  • Check the security certificate of any website into which you are entering sensitive data. They should usually begin with https:// Some browsers will display padlock symbols in the address and status bars. Anything on a website saying it is safe can be falsified and is not verified by the browser you are using, and so shouldn’t be trusted
  • Keep your software current
  • Install antivirus software
How would I know if my CalNet credentials were compromised?
You may not always know. Scams and malware that steal passwords are designed to be stealthy and unnoticed.
Passwords are most frequently compromised one of three ways:
  • Being tricked to giving up your credentials at a real-looking but scam website (AKA Phishing)
  • Malware or other compromises of your device which installs software designed to run in the background and steal passphrases
  • Re-using CalNet credentials for non-UCB websites, and the non-UCB websites are hacked and all credentials exposed

However, a couple of tell-tale signs of credential compromise are:

  • Your colleagues and friends have received unexpected messages from your email account (spam or additional Phishing emails)
  • You suddenly cannot login with your CalNet credentials because an attacker has changed your passphrase
The best defense addresses all three main threats:
  • Know how to evaluate whether websites asking for your passphrase are legitimate. When in doubt, ask by sending an email to itcsshelp@berkeley.edu or contacting ITCS at 510-664-9000
  • Only use devices that are up-to-date. This means patches for all software are installed as soon as the patches become available, that the browsers are configured for maximum security, and the device otherwise meets the campus Minimum Security Standards for Networked Devices.
  • Do not reuse your CalNet passphrase for other websites

If in doubt regarding the security of your CalNet account, change your CalNet passphrase!

When changing your CalNet passphrase, be sure to do so from a machine you believe is not infected by malware or otherwise compromised. Anti-malware and antivirus scans should result in a "clean" report (no infections) for the machine you intend to use to change your CalNet passphrase from.

Additionally, if you answer yes to any of the following questions, you should also reach out to the ISO office, by emailing security@berkeley.edu:

  • While performing your normal duties, do you access protected data (UC P4) from the workstation for University business, including access to the data through central campus applications/services (ImageNow, PeopleSoft, HCM, Payroll/PPS, BFS, etc)?
  • Do you suspect there are University (non-personal) documents containing protected data stored on the workstation?
  • Are there file shares (also known as network drives or mapped drives) mounted on your workstation with stored protected data, whether or not you work with those files?
  • Do you use accounts on this workstation that have privileged [administrator, superuser, database owner (dbo)] access to other systems with protected data?
  • Do you store any usernames and passwords in plain-text (not encrypted) on the workstation?
  • Do you work with Research data regulated by Campus Institutional Review Boards (IRB),  California Committee for the Protection Human Subjects(CPHS), or subject to other Data Access Agreements?

Note: The Information Security Office is sometimes informed when passwords associated with UC Berkeley accounts are exposed in public forums or discovered during breach investigations. In these cases, we may test the exposed passwords to see if they are valid CalNet passphrase. If the passphrase is validated, it will be scrambled immediately and the account deactivated until the account owner is contacted to create a new passphrase. This testing is done only for validation purposes and is not used for access to the account holder's email or other electronic services.

Please see Why did I get a Credential Exposure notice and what should I do? for information on what to do if you receive an ISO Security notification for exposure of your account credentials.

Who do I contact if I think my CalNet credentials were compromised?

If you believe your CalNet credentials have been compromised, and you still have access to your account, change your password immediately.  Instructions for changing your passphrase can be found online: https://calnetweb.berkeley.edu/calnet-me/manage-my-calnet-account#passph....

If you are not able to access your account, contact security@berkeley.edu.

If you have received notice from CalNet that your account has been locked, email calnet@berkeley.edu.

To regain access to your accounts, you will need to verify your ID by showing a government-issued photo ID via Zoom or in person, so be prepared.

To open a ticket with CalNet, email: calnet@berkeley.eduor call (510) 643-6839.

Additionally, if you answer yes to any of the following questions, email the Information Security Office at security@berkeley.edu immediately to report the compromise.

  • While performing your normal duties, do you access protected data (UC P4) from the workstation for University business, including access to the data through central campus applications/services (ImageNow, PeopleSoft, HCM, Payroll/PPS, BFS, etc)?
  • Do you suspect there are University (non-personal) documents containing protected data stored on the workstation?
  • Are there file shares (also known as network drives or mapped drives) mounted on your workstation with stored protected data, whether or not you work with those files? 
  • Do you use accounts on this workstation that have privileged [administrator, superuser, database owner (dbo)] access to other systems with protected data?
  • Do you store any usernames and passwords in plain-text (not encrypted) on the workstation?
  • Do you work with Research data regulated by Campus Institutional Review Boards (IRB), California Committee for the Protection Human Subjects(CPHS), or subject to other Data Access Agreements?
What if my personal email account, bank account, or other accounts were compromised?
  • Immediately change your passwords for any potentially compromised accounts
  • Contact your bank or financial advisor to let them know your accounts may be compromised and ask them to put a fraud alert on your accounts
  • Check your bank and financial statements and credit reports to regularly identify any false charges or suspicious activity
  • If you believe you are a victim of identity theft, please see the Federal Trade Commission's Immediate Steps to Repair Identity Theft.
How do I report a Phishing or suspicious email?

Reporting suspicious emails can dramatically reduce the duration and impact of an active phishing attack.

Using the bMail web interface:

  1. Open the message
  2. To the right of 'Reply' arrow, select 'More' (typically denoted with three vertical dots)
  3. Then 'Report phishing'

Reporting through Google allows the email to be blocked from further attacks against and may prevent others from falling victim to the attack.

If you are unable to log into bMail, forward the message to phishing@berkeley.edu or call the ITCS Service Desk at 510-664-9000. 

Do I only need to worry about Phishing attacks via email?

No.  Phishing attacks can also occur through phone calls, texts, instant messaging, or malware on your computer which can track how you use your computer and send valuable information to identity thieves. It is important to be vigilant at all times and remain suspicious of sources that ask for your credentials and other personal information.