How to Detect the Authentic CalNet Login Page

Phishing exploits are one of the biggest security threats facing the UC Berkeley campus.  Fraudsters commonly target campus users with well-crafted emails to lure them to a counterfeit CalNet login page.  Users tricked into entering their CalNet login and password have compromised their account, giving free rein to the hacker to access private information and to perpetuate their scam to other users.

To help protect your CalNet account and sensitive data, follow the campus Top 10 Secure Computing Tips and learn about Protecting Your Credentials.  When you do come across a website that asks for your CalNet account login, you should always verify the authenticity of the website. 

The CalNet login page (sometimes referred to as the CalNet "Central Authentication Service" or CAS) has several unique security identifiers that can help you to verify the site and protect you from falling prey to a phishing scam.

CAS page

The screenshot above shows what the CalNet login page should look like, but appearance is not a determining factor in trusting a website since the page can be easily forged.

Here are two steps to ensure you are logging in to the authentic CalNet login page:

  1. Verify that the beginning of the URL for the CalNet login page always begins with:  https://auth.berkeley.eduauth address
  2. The second step is to verify the site SSL certificate (steps vary per browser):
    1. Click the padlock icon in the address bar and select "Certificate" from the dialogue box.

      cert

    2. View the details of the certificate to verify the following items:
      1. Look for "This Certificate is Valid" or "This certificate has been verified"
      1. Under "Subect Name" or "Issued To" section:
        1. Organization (O) name is:  University of California, Berkeley (Regents of the Univ. of CA)
        1. Common Name (CN) is:  auth.berkeley.edu
      1. Under "Issuer":
        1. The Organization (O) value is:  COMODO CA Limited

          valid

If you encounter a website that does not appear to be the genuine CalNet login page, and you are unsure about the authenticity of the page, contact security@berkeley.edu.

Do NOT enter your CalNet credentials until you have verified the authenticity of the login page.