Recent Phishing Attacks
July 13, 2017
Recent phishing scams have again impacted a number of UI employees, including instances in which direct deposit information was changed in VandalWeb, resulting in employees not receiving paychecks as expected. As you may know, phishing is the fraudulent practice of sending emails purporting to be from someone you trust in order to induce you to reveal personal information, such as user names and passwords. When UI credentials are compromised in this manner, criminals can use VandalWeb to gain access to sensitive personal information (names, addresses, Social Security numbers and birth dates) and reroute paychecks to other bank accounts. Such unauthorized access can result in identity theft and financial losses.
Due to the continuing nature of this problem, and considering the material losses already sustained by members of our Vandal family, we feel compelled to take steps to protect our employees. Accordingly, we have temporarily suspended the two features in VandalWeb that represent the greatest risk to our campus community:
Electronic access to W-2 forms via VandalWeb has been disabled, because criminals can use this feature to gain access to your name, address, and/or Social Security number.
The ability to add or change direct deposit accounts via VandalWeb has also been disabled, because criminals can use this feature to reroute your paycheck to accounts at other banks (once this happens, the banks are almost never able to recover the lost funds).
In order to provide long-term security for our employees, the Division of Finance is partnering with ITS to bring multi-factor authentication (MFA) to VandalWeb. Once MFA is in place, we will restore electronic access to W-2 forms and direct deposit information. This additional layer of security will be available before the end of the calendar year. In the meantime, you can obtain copies of W-2 forms from the payroll office. We have also developed a paper form that you can use to add or change direct deposit account numbers. The payroll office will be sending additional information about these temporary measures.
We realize that these manual options will be significantly less convenient than electronic access. However, we ask for your patience and compassion as we make changes designed to protect our employees and students from potentially devastating financial losses. We hope our campus community will tolerate this inconvenience in order to provide immediate protection for all members of our Vandal family.
We want to reiterate that these changes are temporary, and are motivated by a desire to protect our employees and students. If you have questions or concerns, or if you think you might have provided your UI username and password to another party, change your password and immediately report any discrepancies to Payroll Services at firstname.lastname@example.org or by phone at 208-885-3868. Thank you for your attention to this important manner.
About the University of Idaho
The University of Idaho, home of the Vandals, is Idaho’s land-grant, national research university. From its residential campus in Moscow, U of I serves the state of Idaho through educational centers in Boise, Coeur d’Alene and Idaho Falls, nine research and Extension centers, plus Extension offices in 42 counties. Home to nearly 11,000 students statewide, U of I is a leader in student-centered learning and excels at interdisciplinary research, service to businesses and communities, and in advancing diversity, citizenship and global outreach. U of I competes in the Big Sky and Western Athletic conferences. Learn more at uidaho.edu