UC campuses have observed a significant rise in direct deposit fraud attacks.
In addition to traditional email phishing, threat actors are now using convincing fraudulent websites that mimic UCPath or UCSB systems, text message/SMS phishing (“smishing”), and platforms like LinkedIn messaging. The goal is to steal credentials and change direct deposit information.
Protect yourself:
- Be wary of unsolicited messages: Watch for unfamiliar senders, typos, grammatical errors, and urgent requests. Don't click links or provide personal information from suspicious messages.
- Scrutinize website URLs: Always check the URL of any site asking for UCSB credentials. Legitimate UCSB sites will redirect to https://sso.ucsb.edu or end in .ucsb.edu. The site's certificate should match its name.
- Duo Security: UCPath and UCSB sites use Duo MFA. Never enter a Duo passcode into a site that doesn't match UCSB's Duo prompt. UCSB IT will never ask for a Duo passcode via SMS. Only enter 4-digit verification codes (Duo Verified Push) from a login you initiated.
- Bookmark UCPath, or type https://ucpath.ucsb.edu directly into your browser address bar instead of searching for “UCPath.”
- Update your UCPath profile. Add a home email and personal phone number to receive notifications about changes to your profile or direct deposit.
- Verify any request to update or change your Direct Deposit information, even if it appears to come from a trusted source.
- Report suspicious activity. Email security@ucsb.edu if you receive any suspicious messages or notifications
UC leadership is actively responding to this threat with enhancements to Duo multi-factor authentication and additional technical protections at UCPath.
Your security is our top priority, and we encourage every community member to take these steps seriously. By working together, we can mitigate the potential risks associated with these fraudulent activities.