IRS issues guidance to schools, among others, on W-2 phishing scam

The Internal Revenue Service recently issued an alert saying that a Form W-2 email phishing scam, which surfaced last year, “has evolved beyond the corporate world and is spreading to other sectors” and is now targeting school districts.

“This is one of the most dangerous email phishing scams we’ve seen in a long time,” said IRS Commissioner John Koskinen. “It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme.”

Though no schools or local educational agencies were cited in the IRS notice, Doug Levin, a consultant at EdTech Strategies LLC, said the warning to LEAs raises questions about the state of school information security practices.

“In the last few months, I’ve seen more and more stories about schools having data breaches involving personal information of educators and school staff, and this is done by phishing, [in which] their employees’ W-2 information was stolen,” he said in an interview. “The nature of this attack is such that it could be many months or even years before some of the parties that were affected realize it happened. I think it’s safe to expect that there are other districts that have been compromised that we just don’t know about yet — and they may not know yet.”

“This is the single largest attack directed at schools that we have seen,” he added.

The nature of this attack is when someone sends a message or a number of messages to HR or payroll staff in the school district pretending to be the superintendent and asking for personal data about employees. “It’s a pretty sophisticated attack,” Levin said.

Levin said there is evidence suggesting “widespread lax school IT security practices thanks to systematic investigations,” such as those conducted in Wyoming and Missouri, in which school audits found controls for protecting and reducing data privacy and security risks were weak.

Levin believes that school districts are “underinvesting” in training, but he said “even the most sophisticated organizations can run afoul of these kinds of attacks.”

“This is about human behavior, and that’s the hardest thing to secure,” he added. “That’s a training issue. Well-crafted phishing attacks can affect otherwise pretty sophisticated people.”

Be ‘vigilant’

The IRS, state tax agencies, and the tax industry, working together as the Security Summit, said they have enacted numerous safeguards in 2016 and 2017 to identify fraudulent tax returns filed through scams like this. As the Summit partners make progress, they said, cybercriminals need more data to mimic real tax returns.

The scam began last year when cybercriminals misled payroll and HR officials into disclosing employee names, SSNs, and income information. The thieves then attempted to file fraudulent tax returns for tax refunds. Cybercriminals followed up these requests by asking for a money wire transfer, IRS officials explained.

The Security Summit partners urge employers to be “vigilant” as the scam circulates this tax season to a broader cross-section of organizations. Among its recommendations, the IRS urges school officials to “double check any executive-level or unusual requests for lists of Forms W-2 or Social Security numbers.”

This phishing variation is known as a “spoofing” e-mail, they said. It will contain, for example, the actual name of a company chief executive officer, or in the education sector, a superintendent, who is sending an email to a payroll office or human resource employee to request a list of employees and information including SSNs, the IRS noted.

According to their guidance, the following are some of the details that may be contained in the emails:

  • Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary)?
  • I want you to send me the list of W-2 copy of employees’ wage and tax statement for 2016; I need them in PDF file type; you can send it as an attachment. Kindly prepare the lists and email them to me ASAP.

Organizations receiving a W-2 scam email should forward it to and place “W2 Scam” in the subject line, according to the IRS notice.

Organizations that receive the scams or fall victim to such scams should also file a complaint with the Internet Crime Complaint Center, operated by the Federal Bureau of Investigation, officials said.

Emily Ann Brown covers education technology and STEM education issues for LRP Publications.

Copyright 2017© LRP Publications, Education Daily®