This message was sent to all UW student employees, faculty and staff with approval from the Vice President for UW Information Technology and CIO.
This email provides important information to help you protect your UW NetID and password from phishing attacks, which increase during tax season.
Links have been left out of this email. To find this message on the web, search the UW website for “CISO Annual Communications,” where you will find hyperlinks to all the related resources mentioned.
How does phishing work?
Cybercriminals try to steal employee login credentials so that they can download Wage and Tax Statements (Form W-2). They then use the W-2 information to electronically file a fraudulent federal income tax return in the employee’s name. By changing the bank account number, the cybercriminals receive the refund.
Your vigilance and the UW’s two-factor authentication system play a pivotal role in protecting employee data.
How can you protect yourself?
- Be skeptical about emails that seem urgent or threaten negative consequences if you do not act.
Do not reply, click links, or divulge personal information or login credentials.Cybercriminals may use manipulative messages to heighten urgency or they may use logos from well-known companies to trick users into clicking on links. In some cases, they may send a simple meeting reminder that leads to a fake UW web page. If you receive an email you suspect may be phishing, you can report it to help @ uw.edu (no spaces).
- The secure way to access your University of Washington W-2 is by using the “Sign in to Workday” link found on the Integrated Service Center’s (ISC) website. Note: Children’s University Medical Group and UW Physicians employees should access their 2021 W-2s in the Automatic Data Processing (ADP) system; UW Neighborhood Clinic employees will be issued two 2021 W-2s, one for the first pay period in ADP, the second for the remainder of the year in Workday.
If you suspect you’ve received a phishing email disguised as an email from Workday, you can confirm the legitimacy of the message by signing into Workday via the ISC website and double-checking you received the same message in your Workday Inbox or your Workday Notifications.
- Do not approve unsolicited requests for two-factor authentication.
Duo is the UW’s two-factor authentication (2FA) system, which adds a second layer of security when you sign into Workday and other University systems. Using 2FA prevents others from signing in as you, even if they know your password.If you receive an unexpected sign-in request for Duo, and you have not signed into a system that requires it, do not approve the request. If the request is a phone call, hang up without pressing any buttons. If it is a Duo Push request, press the “deny” button and you will be given a choice to report it as fraudulent so that UW Information Technology is notified. Additionally, you should immediately change your UW NetID password to ensure your account is secure.
- Opt in to use 2FA on the web.
As of August 31, 2021, all staff (except in UW Medicine) and UW Bothell faculty are required to use 2FA when signing in with their UW NetID on the web for added security. Other faculty and students can also opt in to use 2FA on the web. For more information, search for “opt in to 2FA on the web” on the IT Connect website.
- Use anti-virus software on your computers and devices and keep anti-virus software updated.
Sophos Anti-Virus Software is available free of charge to all UW students, faculty and staff.
- Learn more about phishing from recent examples, infographics and other training materials on the Office of the CISO website.
(Search for “CISO” on the UW home page to find the CISO site where you will find links to all the information and resources mentioned above.)
If you have any questions or concerns, please contact help @ uw.edu (no spaces).
Thank you for helping secure UW data.
Pronouns: he, him, his
Vice President for UW Information Technology and CIO