It’s that time of year again! As we all work hard to ensure our taxes are in order, cybercriminals are looking to claim their own returns. According to the Internal Revenue Service (IRS), hackers have stolen W2s from approximately 1,000 employers since 2017. As a result, the tax information for hundreds of thousands of employees, many of them from school districts, has been compromised. The IRS estimates that this string of identity theft has led to over 1.5 million fraudulent tax returns and more than $2.3 billion in bogus refunds. We encourage TASB Risk Management Fund members to follow these tips for protecting employees’ sensitive information this tax season.
How do W2 scams work?
The most prevalent W2 phishing scam begins with a seemingly innocent email asking “hi, are you working today?” These emails are almost always directed at the HR or finance office and are normally altered to appear to come from a high-ranking employee, such as a CEO, superintendent, or principal. Once the employee responds, the ”superintendent” asks for the entire organization’s W2 information. They will likely put pressure on the recipient by insisting the request is highly time sensitive.
If the targeted employee provides the tax information, the district will likely receive an additional request for a routed payment to a phony tax service. The hacker can use the information to file fraudulent tax returns or even sell sensitive data such as Social Security numbers, names, addresses, income, and withholdings on the dark web.
Case study – Manatee ISD Florida
In February 2017, Manatee ISD in Florida suffered a W2 phishing attack. An email, purportedly from the local superintendent, arrived in HR and finance department employee inboxes. The email contained a strongly worded, time-sensitive request for every district employee’s W2 information. Representatives from both departments responded to the request.
As a result, sensitive information for all 7,500 district employees fell into hackers’ hands. The impacted employees filed a $300,000 dollar class action lawsuit, and the district had to purchase an $80,000 policy for two years of identity theft monitoring. One of the employees was formally reprimanded for negligence. The other was removed from their department and demoted.
So, what could Manatee ISD employees have done to prevent the attack?
Here are some tips from the IRS and FBI that can help you protect your district and employees from this ongoing scam:
- Train your employees on how to identify fraudulent or spoofed emails.
- Limit who has access to W2s and other staff and student sensitive data.
- Institute a two-person authentication process for all outbound, sensitive data requests.
- Ask your information technology team to make sure your data loss prevention policies are configured in your email security system.
- Flag email from outside your network with a header that identifies it as external.
The IRS has seen a significant increase in this sort of phishing scam since 2017. They warn that the scam will continue as long as it is successful. If you have suffered a similar attack, please notify the IRS at firstname.lastname@example.org or email@example.com. The better the authorities understand the threat, the better advice and assistance they can provide to potential targets.
Expert help from the Fund
The Fund provides cybersecurity and data incident response coverage to members of our Property and Liability programs. Members that suspect they have been the target of cybercrime should call the Fund immediately at 855.295.8344 to report a claim. Members that have questions about cybersecurity education or consultation are welcome to contact Privacy and Cyber Risk Consultant Lucas Anderson at firstname.lastname@example.org or 512.505.2893.