Office of the Chief Information Security Officer

Annual Communications

Message About Phishing and W-2 Forms

The following message was sent to all faculty and staff in January 2019 with approval from Aaron Powell, Vice President for UW Information Technology and Chief Information Officer.

This email provides important information to help you protect your UW NetID and password from phishing attacks, which increase during tax season.

How does phishing work?

Cyber criminals try to steal an employee’s login credentials so that they can download Wage and Tax Statements (Form W-2). They then can use the W-2 information to electronically file a fraudulent federal income tax return in the employee’s name. By changing the bank account number, the cyber criminals receive the refund.

Fortunately, your vigilance and the UW’s two-factor authentication system can play a pivotal role in protecting employee data.

How can you protect yourself?

  • Be skeptical about emails that seem urgent or threaten negative consequences if you do not act.

Do not reply, click links, or divulge personal information or login credentials.

Phishing emails may arrive in various forms. They may use distressing messages to heighten the urgency or they may use logos from well-known companies. In some cases, they may send a simple meeting reminder.

  • The most secure way to access your University of Washington W-2 is by using the “Sign in to Workday” link found on the Integrated Service Center’s (ISC) website.

If you suspect you’ve received a phishing email disguised as an email from Workday, you can confirm the legitimacy of the message by logging into Workday via the ISC website and double-checking you received the same message in your Workday Inbox or your Workday Notifications.

  • Do not approve unsolicited requests for two-factor authentication.

Duo is the UW’s two-factor authentication (2FA) system, which adds a second layer of security when you sign into Workday and other systems. Using 2FA prevents others from signing in as you, even if they know your password.

If you receive an unsolicited sign-in request for Duo, and you have not signed in to a system that requires it, do not approve the request. If the request is a phone call, hang up without pressing any button. If it is a Duo Push request, press the “deny” button, and you will be given a choice to report it as fraudulent so that UW Information Technology is notified of the unsolicited push request. Additionally, you should immediately change your UW NetID password to ensure your account is secure by visiting the Manage UW NetID webpage.

  • Use anti-virus software on your computers and devices, and keep the anti-virus software updated.

Sophos Anti-Virus Software is available free of charge to all UW students, faculty and staff.

If you have any questions or concerns, please contact help @

Thank you for helping to protect UW data.

Office of the CISO Phishing Resources:

Secure University Data

The following message was sent on May 22, 2018 to all UW students, faculty and staff with approval from Aaron Powell, Vice President for UW Information Technology and Chief Information Officer.

This message is to remind you of the importance of protecting your UW NetID password, as well as personal information and University data, from cybersecurity attacks.

Cybercriminals continually refine their tools to infiltrate systems and networks to access data. They are attempting to steal institutional information and personal credentials, and access valuable resources, with the ultimate goal of financial gain. They also try to make devices and systems inaccessible until the targeted individuals or organizations pay a fee.

The following three tactics are often used to exploit the large, open environments that are common at universities:

  • Phishing is a way to trick users into surrendering login credentials that can be used immediately or sold on underground websites. Phishing emails commonly urge recipients to download harmful attachments or click on links that lead to phony web pages specifically crafted to obtain stolen login credentials.
  • Spear phishing manipulates targeted individuals by appearing to come from a known or trusted sender in order to access financial account information, intellectual property and research data.
  • Ransomware is malicious software embedded in a seemingly legitimate file attached to an email. When downloaded to a device, it can lock files, folders, computers and systems until a sum of money is paid.

You have a responsibility to secure University data from these types of potential attacks and data breaches, and to use UW computing resources appropriately. The following tools and resources can help you keep your personal information and UW data secure.


IT Connect website

The Appropriate Use web page lists some of the laws and policies governing the use of UW computing and networking resources, and information on respecting copyright.

Office of the Chief Information Security Officer

  • Phishing training materials, including a Phishing Examples web page, describe the continually evolving methods of stealing login credentials and other important information.
  • Infographics, suitable for printing and posting in common areas, that are intended to educate users on current threats. See the World Backup Day infographic to read more about protecting against data loss from ransomware attacks.
  • A Spear Phishing Risk Advisory reviews recent cases involving academic institutions, and outlines best practices for managing the risks of such attacks.

Thank you for securing UW data.

If you have any questions or concerns, please contact help @ uw .edu