W-2 phishing scam hits Virginia school district

The Form W-2 phishing campaign has struck again, this time compromising the personal information of 905 employees of the Powhatan County (VA) school district.

An employee of one of the seven schools in the district responded to an email that appeared to be from a senior member of staff requesting employees’ Forms W-2. It was, in fact, from a scammer seeking the tax records because they contain almost all the data needed to file false tax refund claims: names, addresses, Social Security numbers, and bank account information.

The district discovered the breach quickly and immediately contacted the IRS, the Federal Trade Commission, and the FBI. There is no evidence yet that the scammer has been able to use the information for malicious purposes.

This scam has been causing havoc throughout tax season and originally appeared last year.

The email

The scammer posed as the school district’s superintendent, Dr. Eric Jones, and sent the fraudulent email to a member of staff. If this was anything like past W-2 phishing scams, it’s likely to have been someone in the human resources department.

Speaking to a local newspaper, Jones confirmed that the email was in his name but did not come from his address. Failing to notice that the email didn’t originate from its supposed sender (or any internal email address) is a poor mistake to make, but it was probably far from the only clue that this was a phishing email.

While the specifics of this email are unknown, examples of the W-2 phishing campaign – and phishing scams in general – are publicized enough that the tell-tale signs of phishing emails are well established.

Often phishing emails can be identified by the request sensitive information apropos of nothing. If the request is serious enough, a senior employer would typically speak to their colleague directly.

Scammers often get around this by presenting a sense of urgency. The emails claim that they must be responded to immediately. Employees often mistakenly think it is better to not risk being reprimanded by senior members of staff than to be responsible for causing delays.

Many phishing emails, including past versions of this scam, contain typos or grammatical errors that a senior member of staff would never make.

Prepare your staff for the risks

Identity theft is a serious issue every tax season. Hundreds of thousands of Americans find themselves victims simply because they – or someone in their organization – accidentally hands over information to scammers.

Training your staff to spot the signs of a phishing attack is essential, but it is also important that, in practice, employees maintain their guard. IT Governance offers both a Phishing Staff Awareness Course and a Simulated Phishing Attack to help you train and test your staff on their cybersecurity knowledge.

The Phishing Staff Awareness Course uses real-life examples, tips, and best practices to help staff learn how to identify and respond to a phishing email. The Simulated Phishing Attack launches a benign phishing attack against your organization, exposing any security gaps that you need to address.