Office of the Chief Information Security Officer

Annual Communications



Secure University Data

This message was sent on October 15, 2019 to all UW students, faculty and staff with approval from the Vice President for UW Information Technology and CIO.

As part of National Cybersecurity Awareness Month, we are offering some tips and best practices for safeguarding your personal and University data. We also want to remind you that cybersecurity is our shared responsibility and University information technology resources should be used appropriately.

Be aware of scams and phishing

Phishing

Learn to recognize phishing emails:

  • These types of emails typically urge recipients to download malicious attachments or click on links that lead to web pages specifically crafted to steal login credentials, such as your UW NetID and password.
  • Phishing emails may appear to be from someone you know but are actually from a spoofed or compromised account.
  • They may deliver exploits such as ransomware, a malicious software that locks files, folders and devices. It also makes data, computers and systems inaccessible until a sum of money is paid to cyberthieves.

Think before you click on links in email and only open attachments if you can verify the sender.

Email scams

Beware of email scams:

  • The sender may try to solicit money, financial and personal information or ask you to purchase gift cards.
  • If an email offer sounds too good to be true, it probably is.
  • Be skeptical even if you think you recognize the sender.

Report suspicious email

Report phishing and other email scams to help@uw.edu

Be secure

  • Choose encryption. Use a virtual private network (VPN), such as Husky OnNet, to securely connect to University computers and networks from home and remote locations. Use eduroam, a free, encrypted service, for Wi-Fi while on campus.
  • Use strong passwords. Create strong passwords and don’t use your UW NetID password for other accounts.
  • Back up your data. Back up your files and systems in at least two different secure forms, such as on an external hard drive, so that you aren’t vulnerable to data loss from ransomware. Be sure that at least one backup is offline and not connected to your computer.

Learn more

Reporting spam and phishing. Further instructions can be found on the IT Connect website.
Safeguarding UW and personal information. More information about safeguarding UW and personal information, including best practices for passwords and keeping backups for data, devices and systems, can be found on the Office of the Chief Information Security Officer’s (CISO) website.
Appropriate use of computing and networking resources. Some of the laws and policies governing the use of UW computing and networking resources and information on respecting copyright can be found on the Appropriate Use web page on IT Connect.


Message About Phishing and W-2 Forms

The following message was sent to all faculty and staff in January 2019 with approval from Aaron Powell, Vice President for UW Information Technology and Chief Information Officer.

This email provides important information to help you protect your UW NetID and password from phishing attacks, which increase during tax season.

How does phishing work?

Cyber criminals try to steal an employee’s login credentials so that they can download Wage and Tax Statements (Form W-2). They then can use the W-2 information to electronically file a fraudulent federal income tax return in the employee’s name. By changing the bank account number, the cyber criminals receive the refund.

Fortunately, your vigilance and the UW’s two-factor authentication system can play a pivotal role in protecting employee data.

How can you protect yourself?

  • Be skeptical about emails that seem urgent or threaten negative consequences if you do not act.

Do not reply, click links, or divulge personal information or login credentials.

Phishing emails may arrive in various forms. They may use distressing messages to heighten the urgency or they may use logos from well-known companies. In some cases, they may send a simple meeting reminder.

  • The most secure way to access your University of Washington W-2 is by using the “Sign in to Workday” link found on the Integrated Service Center’s (ISC) website.

If you suspect you’ve received a phishing email disguised as an email from Workday, you can confirm the legitimacy of the message by logging into Workday via the ISC website and double-checking you received the same message in your Workday Inbox or your Workday Notifications.

  • Do not approve unsolicited requests for two-factor authentication.

Duo is the UW’s two-factor authentication (2FA) system, which adds a second layer of security when you sign into Workday and other systems. Using 2FA prevents others from signing in as you, even if they know your password.

If you receive an unsolicited sign-in request for Duo, and you have not signed in to a system that requires it, do not approve the request. If the request is a phone call, hang up without pressing any button. If it is a Duo Push request, press the “deny” button, and you will be given a choice to report it as fraudulent so that UW Information Technology is notified of the unsolicited push request. Additionally, you should immediately change your UW NetID password to ensure your account is secure by visiting the Manage UW NetID webpage.

  • Use anti-virus software on your computers and devices, and keep the anti-virus software updated.

Sophos Anti-Virus Software is available free of charge to all UW students, faculty and staff.

If you have any questions or concerns, please contact help @ uw.edu.

Thank you for helping to protect UW data.


Office of the CISO Phishing Resources: