A W-2 Form phishing scam that has been widely used to trick businesses out of the tax information of their staff is now being used on educational institutions. School districts should be on high alert as cybercriminals are focusing on them.
In recent weeks, many school districts have been tricked by the scammers and have disclosed the W-2 Form data of employees. Teachers, teaching assistants, and other members of school staff have had their Social Security numbers and earnings information shared with the fraudsters. The data is being used to file fraudulent tax returns in victims’ names.
The W-2 Form phishing scam is one of the simplest con-tricks deployed by cybercriminals. It involves sharing an email with a member of the HR or payroll team asking for the W-2 Forms of all employees to be sent via email. Why would any staff member send this highly sensitive data? Because the email appears to have been sent from individuals within the school district who have a genuine need for the data. This is why the W-2 Form phishing scam is so successful. In many instances, suspicions are not aroused for a number of days after the emails have been broadcast. By that time, fraudulent tax returns may have been submitted in the names of all of the victims.
It is unknown how many school districts have been hit so far with this W-2 Form phishing scam, although 10 school districts in the United States have revealed that their employees have fallen for the scam this year and have emailed W-2 Form data to the hackers. Overall, 23 organizations have revealed that an employee has fallen for a W-2 Form phishing scam in 2017, and at least 145 groups fell for similar scams last year.
As a result of the number of attacks, the IRS released a warning in early 2016 to alert all groups to the threat. The increase in attacks in 2017 has led to the IRS to issuing a warning once again. While corporations are in danger, the IRS has issued a warning specifically referring to school districts, as well as non-profits and tribal groups.
The IRS warning outlines how cybercriminals have started even earlier this year. While the W-2 Form phishing scam emerged last year, many attacks took place relatively late in the tax season. Cybercriminals are trying to get the data sooner this year. The sooner a fake tax return is filed, the greater the chance that a refund will be processed.
A variety of spoofing techniques are used to make the email seem like it has come from the email account of an executive or other individual high up in the group. In some instances, criminals have first compromised the email account of a board member, making the scam harder to spot.
2017 has also seen a change to the scam with victims targeted twice. Along with the W-2 Form scam, the victims are also subjected to a wire transfer scam. After W-2 Forms have been sent, a wire transfer request is completed to the payroll department. Some groups have been hit with both scams and have disclosed employees’ tax information and then made a wire transfer of several thousand dollars to the same hackers.
Safeguarding against these scams requires a combination of technology, training and policy/procedural updates. The first task for all organizations – including school districts – is to send an email to all HR and payroll staff advising them about these phishing scams. Staff must be made aware of the scam and told to be cautious.
Policies and procedures should be updated directing payroll and HR staff to authenticate any email request for W-2 Form data by telephone prior to sending the data.
