Annual Communications

Message About Phishing and W-2 Forms

This message will be sent on 1/16/24 to all UW student employees, faculty and staff with approval from the Associate Vice President for Information Security and Chief Information Security Officer

This email provides important information to help you protect your UW NetID and password from phishing attacks, which increase during tax season.

How does phishing work?

Cybercriminals try to steal employee login credentials so that they can download Wage and Tax Statements (Form W-2). They then use the W-2 information to electronically file a fraudulent federal income tax return in the employee’s name. By changing the bank account number, the cybercriminals receive the refund.

Your vigilance, along with the UW’s two-factor authentication system, plays an important role in protecting your personal and UW data.

How can you protect yourself?

  • Be skeptical about emails that seem urgent or threaten negative consequences if you do not act.

Trust your instincts and do not reply, click links, or divulge personal information or passwords from unexpected messages, especially if they make you feel fear.

Cybercriminals may use manipulative messages to heighten urgency or logos from well-known companies to trick users into clicking on links. In some cases, they may send a simple meeting reminder that leads to a fake UW web page. If you receive an email you suspect may be phishing, you can report it to

  • The secure way to access your University of Washington W-2 is by using the “Sign in to Workday” link found on the Integrated Service Center’s (ISC) website.

If you suspect you’ve received a phishing email disguised as an email from Workday, you can confirm the legitimacy of the message by signing into Workday via the ISC website and double-checking you received the same message in your Workday Inbox or your Workday Notifications.

  • Do not approve unsolicited requests for two-factor authentication (2FA).

If you receive an unsolicited sign-in request for Duo and you have not signed into a system that requires it:

    • Do not approve the request. If the request is a phone call, hang up without pressing any buttons.
    • If it is a Duo Push request, press the “deny” button and you will be given a choice to report it as fraudulent so that UW-IT is notified.
    • Immediately change your UW NetID password to ensure your account is secure.
  • Use anti-virus software on your computers and devices, and keep the anti-virus software updated.

Sophos Anti-Virus Software is available free of charge to all UW students, faculty and staff.

If you have any questions or concerns, please contact

Thank you for helping secure UW data.

Isaac Straley
Chief Information Security Officer
UW Office of Information Security

How can you be safer and more secure online?

This message is being sent to all University of Washington (UW) students, faculty and staff and UW Medicine employees with approval from the Interim Chief Information Security Officer. 

As National Cybersecurity Awareness Month (NCSAM) draws to a close, we are writing to remind you about ways to be safer and more secure online. Besides sharing the following cybersecurity tips, we want you to know that we have changed our name from Office of the Chief Information Security Officer to Office of Information Security to better describe the focus of our work. We look forward to working with you to protect personal data and UW institutional information.

Top 7 cybersecurity tips

1. Recognize phishing and scams.

Scammers commonly use phishing emails to trick you into giving them your personal information, such as passwords or credit card numbers, and they’re often successful. Be skeptical of any email that urges you to click on links or download attachments.

Phishing emails may appear to come from a recognizable person or organization, such as your supervisor, UW organizations, or the health department. Be suspicious of unsolicited job opportunities, offers of financial aid, requests to purchase gift cards or opportunities that seem too good to be true.

2. Secure your UW NetID and other accounts.

Be careful not to use your UW NetID password with any other account. Multi-factor authentication (MFA) helps prevent others from signing in as you, even if they know your password. Duo, a two-factor authentication (2FA) service, is widely used at UW for MFA and we recommend that you also use some form of MFA (or 2FA) for other accounts and services, such as personal email, social media, and bank and financial accounts.

3. Secure your computer and other devices.

Keep computers, devices and all applications — including antivirus softwareupdated and patched. Encrypt computers and devices, and keep track of the encryption key.

4. Secure UW institutional data.

Learn what types of data you are responsible for and take steps to secure data appropriately in applications. Four* data classifications are described on the UW Privacy Office website: UW Confidential, Restricted, Public, and Special Categories of Personal Data. Certain data types are protected by laws and regulations. Back up your data in at least two different ways, including one offline version.

5. Secure your Wi-Fi communications.

Configure your devices to use eduroam — a free, encrypted Wi-Fi network available at the UW (and at any eduroam-enabled institution throughout the world). There are instructions for how to set up your device to access eduroam on IT Connect.

6. Secure communications while working remotely.

Use a virtual private network (VPN), such as Husky OnNet, when working at home or remotely to access resources on the UW network. Take steps to secure your home Wi-Fi network by using strong passwords and the strongest encryption possible on home routers.

7. Know the rules.

State law prohibits the use of UW computing resources, tools or services for commercial or political purposes. Follow copyright laws for software, images, music or other intellectual property, such as books and videos. For more information, review the Appropriate Use web page on IT Connect.

If you have any questions or concerns, please contact

Thank you for helping to secure your personal and UW data.

Mark T. Nardone CISSP, CISM, CIPM
UW Interim Chief Information Security Officer
Office of Information Security

*Note: The email version of this message erroneously referred to three UW data classifications. There are four. Go back

Related links:

Scams target offsite workers and COVID-19 fears

This message was sent on March 17, 2020 to all UW students, faculty and staff with approval from Aaron Powell, Vice President for UW Information Technology and CIO.

We are seeing an increase in email, text and phone scams aimed at the UW community as we all adopt new applications, tools and working conditions in order to inhibit the spread of COVID-19.

Scams that exploit fears and vulnerabilities in times of change and uncertainty are continually being adapted by cyberthieves and other malicious actors who target University and personal financial information, systems and accounts.

These scammers may:

  • Request that you provide your cell phone number or non-UW email address so their communications with you are outside any safeguards the University may have.
  • Ask you to buy gift cards or to send or receive money advances.
  • Entice you with seemingly urgent phishing messages to click on links or open documents that may lead to malware infections or the theft of your UW NetID credentials.
  • Send messages that appear to be from UW employees and offices, but are actually sent from phony or spoofed email accounts.

What you can do

  • Be vigilant about lures in the form of emails, phone calls and texts that attempt to inspire a quick reaction or instill fear, whether it is a request to reset your account or a warning about a current news event.
  • Don’t click on links or open unsolicited email attachments without verifying that the sender is who you think it is.
  • Don’t respond with personal information to emails and texts from unfamiliar numbers and senders.
  • If you suspect an email message may contain malware or phishing, forward it as an attachment to

More information

Contact us

If you have any questions or concerns, please contact