Office of the Chief Information Security Officer

Annual Communications

Scams target offsite workers and COVID-19 fears

This message was sent on March 17, 2020 to all UW students, faculty and staff with approval from Aaron Powell, Vice President for UW Information Technology and CIO.

We are seeing an increase in email, text and phone scams aimed at the UW community as we all adopt new applications, tools and working conditions in order to inhibit the spread of COVID-19.

Scams that exploit fears and vulnerabilities in times of change and uncertainty are continually being adapted by cyberthieves and other malicious actors who target University and personal financial information, systems and accounts.

These scammers may:

  • Request that you provide your cell phone number or non-UW email address so their communications with you are outside any safeguards the University may have.
  • Ask you to buy gift cards or to send or receive money advances.
  • Entice you with seemingly urgent phishing messages to click on links or open documents that may lead to malware infections or the theft of your UW NetID credentials.
  • Send messages that appear to be from UW employees and offices, but are actually sent from phony or spoofed email accounts.

What you can do

  • Be vigilant about lures in the form of emails, phone calls and texts that attempt to inspire a quick reaction or instill fear, whether it is a request to reset your account or a warning about a current news event.
  • Don’t click on links or open unsolicited email attachments without verifying that the sender is who you think it is.
  • Don’t respond with personal information to emails and texts from unfamiliar numbers and senders.
  • If you suspect an email message may contain malware or phishing, forward it as an attachment to

More information

Contact us

If you have any questions or concerns, please contact

Message About Phishing and W-2 Forms

The following message was sent to all faculty and staff in January 2020 with approval from Aaron Powell, Vice President for UW Information Technology and Chief Information Officer.

This email provides important information to help you protect your UW NetID and password from phishing attacks, which increase during tax season.

How does phishing work?

Cybercriminals try to steal an employee’s login credentials so that they can download Wage and Tax Statements (Form W-2). They then can use the W-2 information to electronically file a fraudulent federal income tax return in the employee’s name. By changing the bank account number, the cybercriminals receive the refund.

Fortunately, your vigilance and the UW’s two-factor authentication system (Duo) play a pivotal role in protecting employee data.

How can you protect yourself?

  • Be skeptical about emails that seem urgent or threaten negative consequences if you do not act.

Do not reply, click links, or divulge personal information or login credentials.

Phishing emails may arrive in various forms. Cybercriminals may use distressing messages to heighten the urgency or they may use logos from well-known companies. In some cases, they may send a simple meeting reminder. If you receive an email you suspect may be phishing, you can report it to help @ (no spaces).

  • The most secure way to access your University of Washington W-2 is by using the “Sign in to Workday” link found on the Integrated Service Center’s (ISC) website.

(Note: UW Medical Center – Northwest and UW Physicians & Faculty Practice Plan (FPPS) employees should access their 2019 W-2s in the Ultipro and ADP systems this year.)

If you suspect you’ve received a phishing email disguised as an email from Workday, you can confirm the legitimacy of the message by signing into Workday via the ISC website and double-checking you received the same message in your Workday Inbox or your Workday Notifications.

  • Do not approve unsolicited requests for two-factor authentication.

Duo is the UW’s two-factor authentication (2FA) system, which adds a second layer of security when you sign into Workday and other systems. Using 2FA prevents others from signing in as you, even if they know your password.

If you receive an unsolicited sign-in request for Duo, and you have not signed in to a system that requires it, do not approve the request. If the request is a phone call, hang up without pressing any button. If it is a Duo Push request, press the “deny” button, and you will be given a choice to report it as fraudulent so that UW Information Technology is notified of the unsolicited push request. Additionally, you should immediately change your UW NetID password to ensure your account is secure by visiting the Manage UW NetID webpage.

  • Use anti-virus software on your computers and devices, and keep the anti-virus software updated.

Sophos Anti-Virus Software is available free of charge to all UW students, faculty and staff.

If you have any questions or concerns, please contact help @

Thank you for helping to protect UW data.

Secure University Data

This message was sent on October 15, 2019 to all UW students, faculty and staff with approval from the Vice President for UW Information Technology and CIO.

As part of National Cybersecurity Awareness Month, we are offering some tips and best practices for safeguarding your personal and University data. We also want to remind you that cybersecurity is our shared responsibility and University information technology resources should be used appropriately.

Be aware of scams and phishing


Learn to recognize phishing emails:

  • These types of emails typically urge recipients to download malicious attachments or click on links that lead to web pages specifically crafted to steal login credentials, such as your UW NetID and password.
  • Phishing emails may appear to be from someone you know but are actually from a spoofed or compromised account.
  • They may deliver exploits such as ransomware, a malicious software that locks files, folders and devices. It also makes data, computers and systems inaccessible until a sum of money is paid to cyberthieves.

Think before you click on links in email and only open attachments if you can verify the sender.

Email scams

Beware of email scams:

  • The sender may try to solicit money, financial and personal information or ask you to purchase gift cards.
  • If an email offer sounds too good to be true, it probably is.
  • Be skeptical even if you think you recognize the sender.

Report suspicious email

Report phishing and other email scams to

Be secure

  • Choose encryption. Use a virtual private network (VPN), such as Husky OnNet, to securely connect to University computers and networks from home and remote locations. Use eduroam, a free, encrypted service, for Wi-Fi while on campus.
  • Use strong passwords. Create strong passwords and don’t use your UW NetID password for other accounts.
  • Back up your data. Back up your files and systems in at least two different secure forms, such as on an external hard drive, so that you aren’t vulnerable to data loss from ransomware. Be sure that at least one backup is offline and not connected to your computer.

Learn more

Reporting spam and phishing. Further instructions can be found on the IT Connect website.
Safeguarding UW and personal information. More information about safeguarding UW and personal information, including best practices for passwords and keeping backups for data, devices and systems, can be found on the Office of the Chief Information Security Officer’s (CISO) website.
Appropriate use of computing and networking resources. Some of the laws and policies governing the use of UW computing and networking resources and information on respecting copyright can be found on the Appropriate Use web page on IT Connect.

Office of the CISO Phishing Resources: