Laptop with multiple fish around a fishing pole on screen.

10/20 phishing alert! Subject: “[Not Virus Scanned] 16.89 % Salary Increase Letter 20 October 2023”

There’s an active phishing campaign on campus in which the attacker impersonates a payroll & employees relations specialist sending information about a pay increase. The email asks recipients to click an attached, password protected PDF which contains a link to a Google form. We strongly advise you not to open or download the attachment.

The scam emails come from a compromised account at another university, so don’t be fooled!

See the included text below.

Date: Friday, October 20, 2023 at 9:53 AM
Subject: [Not Virus Scanned] 16.89 % Salary Increase Letter 20 October 2023

Dear All,

Sequel to last wéék notification, find encloséd héré-undér the létter summarizing your 16.89 percent salary increase starting 20 October 2023

Αll documénts are enclosed héré-undér:

NOTE:  Your Αccess is needed to go through the salary increment letter, Initial Αccess is Salary

Payroll & Employee Relations

The attachment appears as follows:

Phish attachment with "view online" link

We became aware of this campaign on the morning of October 20, but such attacks can occur at any time. Please be on the lookout for such scams. You can recognize them in the following ways:

  • Poor grammar, spelling and unusual characters or formatting
  • Inspect URLs closely. Some scammers will try tricking you out by including relevant sounding keywords like the name of the company they’re impersonating – look at the whole URL to make sure it includes a legitimate domain name in the correct placement, e.g., “”
  • If in doubt, don’t click the link but browse directly to the legitimate, relevant website and look for confirmation of the email message.

What should I do if I accidentally opened the attachment?

Scan your device for viruses as a precaution.  See the Virus Information Center for details.

What should I do if I logged in via the link in the attachment?

Immediately change your NetID password by following the instructions in NetID: Changing a Password (Source: KB 20589).

Reporting a phishing campaign

Outlook users:
To report phishing emails received via Outlook, please click the “Report Suspicious” button on the toolbar/ribbon located at the top of your page. This action will send the questionable email to the UW–Madison Cybersecurity Operations Center (CSOC).

Non-Outlook users: 
If you do not see the “Report Suspicious” button, then forward the message as an attachment  (Source: KB 34567) to Please do not simply forward the questionable email, as this will prevent us from seeing the header of the message and make it difficult to take appropriate action.

For additional information, please refer to: Office 365 – Submit a message as spam/phishing (Source: KB 45051).

If you are ever unsure whether an email message is legitimate, DO NOT RESPOND to it! Instead, contact the DoIT Help Desk (608) 264-HELP (4357) and ask for advice.