Identifying and Avoiding the W-2 Phishing Scam

A fraudulent phishing scam has circulated throughout districts in Texas and across the country in recent months, exposing private W-2 information of employees in several school districts.

It happens when someone impersonating a superintendent e-mails a payroll or human resources employee requesting copies of staff W-2 forms.

In many cases, the contacted employee is not someone with whom the superintendent interacts on a frequent basis. These employees are more likely not to question a request from someone in a position of power and simply surrender the requested information with little or no pushback.

The e-mails being circulated now are not like ridiculous spam messages of years past. There are no flashing red lights informing you of a computer virus, or a plea to send $25,000 to someone with a guarantee they will triple your investment in weeks. The recent phishing e-mails look like legitimate requests for information and may even appear to be sent from the superintendent’s e-mail address. This is a premeditated, calculated attempt to secure private employee information, including Social Security numbers. According to an alert issued by the Internal Revenue Service (IRS), some organizations that have been victimized in the past are being targeted again.

Since the beginning of 2017, at least five districts in Texas have fallen victim to the cyberattack. Many other districts around the country have reported similar incidents, and no one has been charged or brought into custody. Districts should be aware they can be targeted regardless of district size or location and should take steps to prevent this scam from happening to their staff.

Guidance on handling situations where anyone, including a superintendent, requests sensitive information from a district employee is listed below:

1. Never send out confidential personal information of any employee.
2. If you feel like the request is somewhat suspicious, contact a supervisor or IT director to double-check the validity of the e-mail.
3. Review the sender’s address and make sure it is the exact e-mail of the person it’s supposed to be sent from.
4. If your district is a member of the Risk Management Fund (RMF) Property and Liability program and you believe your organization has fallen victim to this scam, contact TASB Risk Management at 888.920.5130, ext. 2893. If you believe your organization has fallen victim to this scam, contact the IRS directly, as indicated in their press release so steps can be taken to protect employees from tax-related identity theft.

For more information on cybersecurity can be found on the TASB Risk Management Fund Insights page.