More than a Dozen School Districts Around the Country Fall Victim to W2 Phishing Attacks

School districts around the country are being targeted in W-2 phishing schemes that have been largely successful thus far. Employees from more than a dozen schools are at risk now all because of well-intentioned employees who fell for the  attacks.

A recent blog post on DataBreaches.net has great advice for folks working in payroll departments across the country:

“If you don’t want to be hated by your colleagues whom you have put at risk of tax refund fraud and identity theft, when you get a request to email W-2 information, STOP and consult with a supervisor and ask them to confirm up the chain that this is a legitimate request.”

News of the scams have been breaking weekly since mid January.

When a Tampa Bay-area school fell for the scam, two payroll employees released around 7,700 W-2s. District administrators learned of the scam on Feb. 3 2017.

“A hacker posing as Superintendent Diana Greene sent an email to one of the employees, requesting all W-2 forms for district employees. The Manatee payroll employee complied, and with the help of another employee, sent the hacker a PDF file containing all 7,700 W-2s for any employee who worked in the district in 2016,” according to this story reported in the Bradenton Herald.

Bloomington Public School district in Minnesota also fell victim. According to a statement on the district’s human resources page, the attack happened Feb. 10. According to the statement, “Everyone who received a W2 for the 2016 tax year” was affected by the phishing scam.

While the official number of W-2s breached isn’t mentioned in the statement, Minnesota Public Radio reported that it affected “several thousand employees, including active employees and also anyone who briefly worked for the district.”

That number could be more considering there are more than 3,100 listings in the staff directory for the school district.

The Corsicana Daily Sun reported that the Corsicana Independent School District in Corsicana, Texas was also a target this month. All 2016 district employees were affected, though the exact number wasn’t reported.

“As with many other districts also affected by this cybercriminal activity, we are looking at our procedures to ensure this incident does not happen again,” Corsicana ISD Superintendent Dr. Diane Frost said.

A Tipton County Schools employee in Tipton County, Tennessee fell for the trick on Jan. 23, according to the notification letter sent to employees. The Covington Leader covered the story.

DataBreaches.net is also keeping a running list of the entities reporting employee W-2 data acquired by phishing schemes.

Other school districts on the list include Dracut Public Schools in Massachusetts, Odessa School District in Missouri, Lexington School District in South Carolina, Morton School District in Illinois, Davidson County Schools in North Carolina, Belton Independent School District in Texas, Argyle School District in Texas, College of Southern Idaho and Mercer County Schools in West Virginia.

 

‘Urgent’ Warning

Earlier this month, the IRS issued an “urgent” alert, warning consumers that the W-2 phishing scam that first appeared last year has now evolved beyond the corporate world to target schools along with restaurants, hospitals, tribal groups and others. The scams are happening earlier this year as well.  

“This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme,’’ said IRS Commissioner John Koskinen in a release posted on the IRS website on Feb. 2, 2017.

Employees whose Forms W-2 have been stolen should review the recommended actions by the Federal Trade Commission at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft.

Employees should file a Form 14039, Identity Theft Affidavit, if the employee’s own tax return rejects because of a duplicate Social Security number or if instructed to do so by the IRS.

 

Are you covered for identity theft?
Get Covered