A fraudulent phishing scam has circulated throughout districts in Texas and across the country in recent months, exposing private W-2 information of employees in several school districts.
It happens when someone impersonating a superintendent e-mails a payroll or human resources employee requesting copies of staff W-2 forms.
In many cases, the contacted employee is not someone with whom the superintendent interacts on a frequent basis. These employees are more likely not to question a request from someone in a position of power and simply surrender the requested information with little or no pushback.
The e-mails being circulated now are not like ridiculous spam messages of years past. There are no flashing red lights informing you of a computer virus, or a plea to send $25,000 to someone with a guarantee they will triple your investment in weeks. The recent phishing e-mails look like legitimate requests for information and may even appear to be sent from the superintendent’s e-mail address. This is a premeditated and calculated attempt to secure private employee information, including Social Security numbers. According to an alert issued by the Internal Revenue Service (IRS), some organizations that have been victimized in the past are being targeted again.
Districts should be aware they can be targeted regardless of district size or location and should take steps to prevent this scam from happening to their staff.
Guidance on handling situations where anyone, including a superintendent, requests sensitive information from a district employee is listed below:
- Never send out confidential personal information of any employee.
- If you feel like the request is somewhat suspicious, contact a supervisor or IT director to double-check the validity of the e-mail.
- Review the sender’s address and make sure it is the exact e-mail of the person it’s supposed to be sent from.
- If your district is a member of the TASB Risk Management Fund’s Property and Liability program and you believe your organization has fallen victim to this scam, contact the Fund at 888.920.5130, ext. 2893. If you believe your organization has fallen victim to this scam, contact the IRS directly, as indicated in their press release so steps can be taken to protect employees from tax-related identity theft.
For more information on how to recognize and prevent a phishing scam, review the Fund’s phishing FAQs.
Zach DiSchiano is the TASB HR Services Communications Specialist. This article was orginally published in the TASB HR Services e-newsletter, the HR Exchange.