Office of the Chief Information Security Officer

Annual Communications

Message About Phishing and W-2 Forms

This message is being sent to all UW student employees, faculty and staff with approval from the Vice President for UW Information Technology and CIO.

This email provides important information to help you protect your UW NetID and password from phishing attacks, which increase during tax season.

How does phishing work?

Cybercriminals try to steal employee login credentials so that they can download Wage and Tax Statements (Form W-2). They then use the W-2 information to electronically file a fraudulent federal income tax return in the employee’s name. By changing the bank account number, the cybercriminals receive the refund.

Your vigilance and the UW’s two-factor authentication system play a pivotal role in protecting employee data.

How can you protect yourself?

  • Be skeptical about emails that seem urgent or threaten negative consequences if you do not act.

Do not reply, click links, or divulge personal information or login credentials.

Cybercriminals may use manipulative messages to heighten urgency or logos from well-known companies to trick users into clicking on links. In some cases, they may send a simple meeting reminder. If you receive an email you suspect may be phishing, you can report it to

  • The secure way to access your University of Washington W-2 is by using the “Sign in to Workday” link found on the Integrated Service Center’s (ISC) websiteNote: UW Neighborhood Clinic and Children’s University Medical Group employees should access their 2020 W-2s in the Automatic Data Processing (ADP) systems this year. If you suspect you’ve received a phishing email disguised as an email from Workday, you can confirm the legitimacy of the message by signing into Workday via the ISC website and double-checking you received the same message in your Workday Inbox or your Workday Notifications.
  • Do not approve unsolicited requests for two-factor authentication.

Duo is the UW’s two-factor authentication (2FA) system, which adds a second layer of security when you sign into Workday and other systems. Using 2FA prevents others from signing in as you, even if they know your password.

If you receive an unsolicited sign-in request for Duo, and you have not signed into a system that requires it, do not approve the request. If the request is a phone call, hang up without pressing any buttons. If it is a Duo Push request, press the “deny” button and you will be given a choice to report it as fraudulent so that UW Information Technology is notified. Additionally, you should immediately change your UW NetID password to ensure your account is secure.

  • Opt-in to use 2FA on the web.

Employees and students can opt-in to use 2FA when signing in with their UW NetID on the web. For more information, search for “opt-in to 2FA on the web” on the IT Connect website.

  • Use anti-virus software on your computers and devices, and keep the anti-virus software updated.

Sophos Anti-Virus Software is available free of charge to all UW students, faculty and staff.

If you have any questions or concerns, please contact

Thank you for helping to secure UW data.

Secure University Data

This message was sent on October 20, 2020 to all UW students, faculty and staff with approval from the Vice President for UW Information Technology and CIO.

As part of National Cybersecurity Awareness Month, we want to share some best practices to secure your personal data and the University’s institutional information from theft and accidental disclosure. Cyberthieves and other adversaries are constantly adapting their tactics in order to take advantage of vulnerabilities, especially during challenging times.

Securing data is our shared responsibility, so please be mindful of cyber threats and use University resources appropriately.

Be aware of phishing and scams


  • Learn to recognize phishing emails, which may urge you to download malicious attachments or click on links that lead to web pages specifically crafted to steal login credentials, such as your UW NetID and password.
    • These emails may appear to be from someone you know but are actually from a spoofed or compromised account.
  • Recent scams have used the new remote working conditions, fears about the coronavirus or funding from the Coronavirus Aid, Relief, and Economic Security (CARES) Act to try to trick people into giving up personal and banking information. Other scams:
    • Entice people to apply for fake jobs or buy gift cards by impersonating University employees.
    • Raise alarm about an unemployment claim or a financial aid loan by impersonating an office at the University, such as the Financial Aid Office. They use a phony website to harvest login credentials for student financial aid accounts so they can use their own account for the direct deposit.
  • Think before you click on links in email; only open attachments if you can verify the sender.
  • Report phishing and other email scams to

Be Secure

  • Use strong passwords. Create strong passwords and don’t use your UW NetID password for other accounts.
  • Use two-factor authentication (2FA). 2FA adds a layer of security when you sign in with your UW NetID. With 2FA, first you enter your password, then use a 2FA device to prove it’s really you.
    • Opt in to use 2FA on the web. Employees and students can opt in to use 2FA when signing in with their UW NetID on the web. For more information, go to Opt in to use 2FA on the web on the IT Connect website.
  • Choose encryption. Use a virtual private network (VPN), such as Husky OnNet, to securely connect to University computers and networks from home and remote locations. Use eduroam, a free, encrypted service, for Wi-Fi while on campus.
  • Secure data, devices and connections when working from home. Review the Working Remotely online training and the Securing Laptops risk advisory linked on the UW Office of the Chief Information Security Officer’s (CISO) website.
  • Back up your data. Back up your files and systems in at least two different secure places, such as on an external hard drive, shared drive, or secure cloud location, so that you aren’t vulnerable to data loss from ransomware. Be sure that at least one backup is offline and not connected to your computer.

Learn More

  • Report spam and phishing. Further instructions can be found on the Protecting your email  page on the IT Connect website.
  • Safeguard UW and personal information. More information about safeguarding the UW and personal information can be found on the Office of the CISO’s website. A digital postcard with information security tips for students is linked on the CISO home page.
  • Know the rules. Some of the laws and policies governing your use of UW computing and networking resources can be found on the Appropriate Use web page on IT Connect.


Office of the CISO Phishing Resources:

Scams target offsite workers and COVID-19 fears

This message was sent on March 17, 2020 to all UW students, faculty and staff with approval from Aaron Powell, Vice President for UW Information Technology and CIO.

We are seeing an increase in email, text and phone scams aimed at the UW community as we all adopt new applications, tools and working conditions in order to inhibit the spread of COVID-19.

Scams that exploit fears and vulnerabilities in times of change and uncertainty are continually being adapted by cyberthieves and other malicious actors who target University and personal financial information, systems and accounts.

These scammers may:

  • Request that you provide your cell phone number or non-UW email address so their communications with you are outside any safeguards the University may have.
  • Ask you to buy gift cards or to send or receive money advances.
  • Entice you with seemingly urgent phishing messages to click on links or open documents that may lead to malware infections or the theft of your UW NetID credentials.
  • Send messages that appear to be from UW employees and offices, but are actually sent from phony or spoofed email accounts.

What you can do

  • Be vigilant about lures in the form of emails, phone calls and texts that attempt to inspire a quick reaction or instill fear, whether it is a request to reset your account or a warning about a current news event.
  • Don’t click on links or open unsolicited email attachments without verifying that the sender is who you think it is.
  • Don’t respond with personal information to emails and texts from unfamiliar numbers and senders.
  • If you suspect an email message may contain malware or phishing, forward it as an attachment to

More information

Contact us

If you have any questions or concerns, please contact