Applies to UW–Madison faculty, staff, and contractors who are collecting information. Also relevant to alumni, applicants, parents, students, or anyone else from whom information is collected.
UW–Madison units and contractors may not collect personal identity information including restricted information and passwords via email.
Phishing scams continue to be a problem at UW–Madison. Despite various information security awareness programs, a significant number of students and staff still disclose personal financial or identity information in response to fraudulent emails and websites.
The CIO's (chief information officer's) Office, in conjunction with a working group of the Madison Technical Advisory Group (MTAG), has put systems in place to minimize the risks associated with phishing scams. Part of the challenge, though, is that the phishing attempts often look like legitimate communications, with senders posing as university departments or other official businesses.
Awareness and education are critically important in our efforts to protect the UW–Madison community from phishing scams. We cannot tell campus users it's not okay to disclose their identity information in some places, but that it's okay to do it for the university. Not only does this send a mixed message, but it overlooks the fact that email scams can so convincingly spoof our efforts.
After coordinating with several campus leadership groups, the CIO's Office has released a promotional campaign that informs the UW–Madison community that "The UW won't ask you to reveal personal identity information via email." (See: Scams To Avoid: Protecting Your Online Identity.)
Failure to comply may result in disciplinary action up to and including termination of employment.