Seven UC Berkeley employees fell victim to recent phishing scams that, in some cases, utilized their campus login credentials to redirect their monthly paychecks.
Relatively unsophisticated and profit-motivated, the phishing emails did not target any department in particular, said interim Chief Information Security Officer Paul Rivers. He added that the malicious emails directed victims — who included support staff and retired professors — to use their CalNet IDs and passphrases to log on to fake authentication websites.
Phishing scammers then used the login information to alter the employees’ direct deposit information. In some cases, this move inadvertently changed employees’ paycheck-delivery preferences to paper check.
When the affected individuals realized they had not received their paychecks, they reported it to the payroll office, which then informed the campus Information Services and Technology office, Rivers said.
“Some of the phishing attacks are just terrible,” Rivers said. “Others are remarkably good.”
In this case, the scam was deceptive enough to make employees think they were actually using the CalNet Central Authentication Service. Rivers said, however, that the attack was unsophisticated to the extent that staff and faculty quickly realized their paychecks were missing.
IST reported the crimes to both UCPD and the Federal Bureau of Investigation. Although the investigation is ongoing, the payroll office ensured that all employees received their missing paychecks. IST assisted the individuals with changing their IDs and passphrases.
In several cases, technology specialists were able to halt the payment before it reached the phishing scammers.
The campus has seen an estimated fivefold increase in phishing scams over the past two years. The IST budget was temporarily doubled from $1.5 million to $3 million this year to meet this increase. Rivers said the extra funds were used to develop a comprehensive information security program, which seeks to protect institutional data and assets.
Although UC Berkeley, along with other institutions of its size, has seen increases in the frequency of phishing scams, Rivers said, it is difficult to pinpoint exactly how many phishing scams target the campus each week or month.
“We’re fortunate that we’re not talking dozens or hundreds,” Rivers said. “While it was terribly inconvenient, and I’m sure very stressful for the employees, it would be a shame if we couldn’t all learn from their unfortunate experience.”
According to David Wagner, a professor in the electrical engineering and computer sciences department who researches computer security for large-scale systems, the type of phishing scam that deceived the seven employees involved criminals who wanted to make money using the least effort possible.
“It’s called phishing because they’re sending these emails to millions of people,” Wagner said, “and they’re hoping one or two will bite.”
