Another school phishing email attack has resulted in the W-2 Form data of school employees being emailed to tax fraudsters. This time, it was employees of Mercer County Schools in West Virginia whose data have been compromised.

The FBI has been called in to investigate the W-2 phishing scam and the IRS has been notified of the incident, while affected employees have been offered services to help them protect their identities.

The school phishing email attack is just one of many such attacks that have occurred this year. While businesses have been extensively targeted in the past, phishing attacks on schools are now commonplace. The problem has become so severe that the IRS recently issued a warning to schools of the risk of phishing email attacks, saying “This is one of the most dangerous email phishing scams we’ve seen in a long time.”

The Mercer County School District phishing attack was almost a carbon copy of many other tax season attacks this year. Already, there have been more than 29,000 victims of these attacks and there is still two months of tax season remaining.

The school phishing email attack involved the sending of an email to an employee in the HR/payroll department requesting a copy of W-2 Forms for all employees that worked in the previous fiscal year. The email was sent from an email account that was very similar to that used by the chief supervisor.

The email contained a slight variation from the genuine email address, which was enough to fool the recipient into thinking the email had been sent from the supervisor’s account. The employee then sent the W-2 forms of 1,800 staff members to the attackers as requested.

Databreaches.net has been tracking this year’s W-2 phishing scams and is maintaining a list of all organizations that have been scammed into revealing W-2 Form data. The list shows that school districts are being extensively targeted.  Successful W-2 phishing attacks have been reported by the following schools and school districts in the past 6 weeks:

  • Argyle School District, TX
  • Belton Independent School District, TX
  • Bloomington Public Schools, MN
  • College of Southern Idaho, ID
  • Davidson County Schools, NC
  • Dracut Schools, MA
  • Lexington School District 2, SC
  • Manatee County School District, FL
  • Mohave Community College, AZ
  • Morton School District, IL
  • Odessa School District, WA
  • Tipton County Schools, TN

The Manatee County School District phishing attack resulted in the W-2 Form data of 7,900 employees being emailed to the scammers: The biggest school phishing email attack of the year to date. The Bloomington Public Schools attack also resulted in thousands of employees’ W-2 Forms being disclosed.

There are a number of measures that can be taken to reduce the risk of phishing attacks such as these. Training should be provided to HR and payroll staff and they should be instructed to carefully check senders’ email addresses to ensure the correct account has been used. Policies should also be developed requiring any W-2 Form requests to be verified with the sender via the telephone. It is also essential to implement a spam filtering solution with a powerful anti-phishing component. This will help to ensure that the emails are not delivered. A spam filtering solution will also block malware and ransomware emails from being delivered. The latter types of malicious emails have also been a major problem for school districts over the past year.