Laptop with multiple fish around a fishing pole on screen.

11/29 phishing alert! Subject: “Your $3500 from The University of Wisconsin”

The UW–Madison Office of Cybersecurity is aware of an active phishing campaign on campus in which the attacker impersonates a benefits specialist offering a $3500 end-of-year bonus. The email asks recipients to click a link leading to a fake benefits site where they’re prompted to enter login information. The scam emails come from a compromised account of someone who is a trusted authority, so don’t be fooled!

See the included text below.

Date: Tuesday, 11/29/2022 4:11 AM
Subject: Your $3500 from The University of Wisconsin

Wisconsin - University of Wisconsin

The University of Wisconsin has money waiting for you in the amount of $3,500.00 for the end of year Bonus funds for employees, but you haven’t told us how to deliver it to you.

To get access to your funds of $3,500.00, simply:

– Log into Wisc/edu/MyUW/benefitsprogram
– Select how you want your money delivered

You have two electronic options to receive your funds. Whether you choose to deposit to an existing account and receive your funds in one to two business days or to deposit to a Bank Mobile Vibe Checking Account, the only same business day option. Visit the benefit program page for more information and carefully follow all instructions.

Thank you,

University of Wisconsin–‍Madison
-Benefits Specialist

Clicking the link in the email shows a fake log in screen:

We became aware of this campaign on the morning of November 29, but such attacks can occur at any time. Please be on the lookout for such scams. You can recognize them in the following ways:

  • Hover over links, without clicking them. Most email clients, including Outlook and O365 online will show the destination URL. In this case, the URL is clearly not associated with the University.
  • Inspect URLs closely. Some scammers will try tricking you out by including relevant sounding keywords like the name of the company they’re impersonating – look at the whole URL to make sure it includes a legitimate domain name in the correct placement, e.g., “”
  • If in doubt, don’t click the link but browse directly to the legitimate, relevant website and look for confirmation of the email message.

What should I do if I accidentally clicked the link?

Immediately change your NetID password by following the instructions in NetID: Changing a Password (Source: KB 20589).

Reporting a phishing campaign

Outlook users:
To report phishing emails received via Outlook, please click the “Report Phish” button on the toolbar/ribbon located at the top of your page. This action will send the questionable email to the UW–Madison Cybersecurity Operations Center (CSOC).

Non-Outlook users: 
If you do not see the “Report Phishing” button, then forward the message as an attachment  (Source: KB 34567) to Please do not simply forward the questionable email, as this will prevent us from seeing the header of the message and make it difficult to take appropriate action.

For additional information, please refer to: Office 365 – Submit a message as spam/phishing (Source: KB 45051).

If you are ever unsure whether an email message is legitimate, DO NOT RESPOND to it! Instead, contact the DoIT Help Desk (608) 264-HELP (4357) and ask for advice.