January 25, 2018

Beware of phishing emails asking for your UW NetID and password to gain access to W-2 information

This email provides important information to help you protect your UW NetID and password from phishing attacks, which increase during tax season.

How does phishing work?

Cyber criminals try to steal an employee’s login credentials so that they can download Wage and Tax Statements (Form W-2). They then can use the W-2 information to electronically file a fraudulent federal income tax return in the employee’s name. By changing the bank account number, the cyber criminals receive the refund.

Fortunately, your vigilance and the UW’s two-factor authentication system can play a pivotal role in protecting employee data.

How can you protect yourself?

  • Be skeptical about emails that seem urgent or threaten negative consequences if you do not act.
    Do not reply, click links, or divulge personal information or login credentials.
    Phishing emails may arrive in various forms. They may use distressing messages to heighten the urgency or they may use logos from well-known companies. In some cases, they may send a simple meeting reminder.
  • The most secure way to access your W-2 is by using the “Sign in to Workday” link found on the Integrated Service Center’s (ISC) homepage.
    If you suspect you’ve received a phishing email disguised as an email from Workday, you can confirm the legitimacy of the message by logging into Workday via the ISC website and double-checking you received the same message in your Workday Inbox or your Workday Notifications (use the Cloud icon).
  • Do not approve unsolicited requests for two-factor authentication.
    Duo is the UW’s two-factor authentication (2FA) system, which adds a second layer of security when you sign into Workday and other systems. Using 2FA prevents others from signing in as you, even if they know your password.
    If you receive an unsolicited sign-in request for Duo, and you have not signed in to a system that requires it, do not approve the request. If the request is a phone call, hang up without pressing any button. If it is a Duo Push request, press the “deny” button, and you will be given a choice to report it as fraudulent so that UW Information Technology is notified of the unsolicited push request. Additionally, you should immediately change your UW NetID password to ensure your account is secure by visiting the Manage UW NetID webpage. Search for Manage UW NetID on the UW homepage.
  • Use anti-virus software on your computers and devices, and keep the anti-virus software updated.
    Sophos Anti-Virus Software is available free of charge to all UW students, faculty and staff. Search for Sophos on the UW homepage.
  • Learn more about phishing from recent examples, infographics and other training materials on the UW Office of the Chief Information Security Officer (CISO) website.
    Search for CISO on the UW homepage. On the Education page of the CISO site, view the online training by topic.

If you have any questions or concerns, please contact help @ uw.edu.

Thank you for your help in protecting UW data.

Note: Links were intentionally not included in this email.