‌In recent weeks, attackers have targeted UC staff by attempting to change their direct deposit information in UCPath, UCSF’s online self-service tool for pay, benefits and other HR activities. Unfortunately, some UCSF employees have fallen victim to these attacks. The criminals are using sophisticated tactics, stealing usernames and passwords via authentic-looking phony websites and tricking users into approving Duo logins. They are also using Google advertising to place their results at the top of searches for “UCPath.”  

To protect employees, UCSF IT is expanding the use of Duo Verified Push. This extra layer of security results in users being prompted to enter a 4-digit code into the Duo mobile app, helping to ensure the person logging into MyAccess is the same person who received the prompt. This change takes effect today, Wednesday, May 28th.

Additional security measures  

To help to continue to prevent the possibility of your accounts being compromised, please follow these tips:  

• Only go to UCPath from the MyAccess landing page.
  • Navigate to the MyAccess landing page first.   
  • In the Filter Applications field, type in UCPath to access the site.   
• Never use search engines to find the UCPath login page.
• Avoid using bookmarks to UCPath
• Never share your 4-digit Duo Verified Push code with anyone.    

Review the UCOP article for additional information about these online attacks and how you can keep your information safe and secure.