There’s an active phishing campaign on campus in which the attacker impersonates a payroll & employees relations specialist sending information about a pay increase. The email asks recipients to click an attached, password protected PDF which contains a link to a Google form. We strongly advise you not to open or download the attachment.
The scam emails come from a compromised account at another university, so don’t be fooled!
See the included text below.
From: NAME REDACTED
Date: Friday, October 20, 2023 at 9:53 AM
To: NAME REDACTED
Subject: [Not Virus Scanned] 16.89 % Salary Increase Letter 20 October 2023
Sequel to last wéék notification, find encloséd héré-undér the létter summarizing your 16.89 percent salary increase starting 20 October 2023
Αll documénts are enclosed héré-undér:
NOTE: Your Αccess is needed to go through the salary increment letter, Initial Αccess is Salary
Payroll & Employee Relations
The attachment appears as follows:
We became aware of this campaign on the morning of October 20, but such attacks can occur at any time. Please be on the lookout for such scams. You can recognize them in the following ways:
- Poor grammar, spelling and unusual characters or formatting
- Inspect URLs closely. Some scammers will try tricking you out by including relevant sounding keywords like the name of the company they’re impersonating – look at the whole URL to make sure it includes a legitimate domain name in the correct placement, e.g., “wisc.edu.”
- If in doubt, don’t click the link but browse directly to the legitimate, relevant website and look for confirmation of the email message.
What should I do if I accidentally opened the attachment?
Scan your device for viruses as a precaution. See the Virus Information Center for details.
What should I do if I logged in via the link in the attachment?
Immediately change your NetID password by following the instructions in NetID: Changing a Password (Source: KB 20589).
Reporting a phishing campaign
To report phishing emails received via Outlook, please click the “Report Suspicious” button on the toolbar/ribbon located at the top of your page. This action will send the questionable email to the UW–Madison Cybersecurity Operations Center (CSOC).
If you do not see the “Report Suspicious” button, then forward the message as an attachment (Source: KB 34567) to firstname.lastname@example.org. Please do not simply forward the questionable email, as this will prevent us from seeing the header of the message and make it difficult to take appropriate action.
For additional information, please refer to: Office 365 – Submit a message as spam/phishing (Source: KB 45051).
If you are ever unsure whether an email message is legitimate, DO NOT RESPOND to it! Instead, contact the DoIT Help Desk (608) 264-HELP (4357) and ask for advice.