Last week, the Internal Revenue Service issued an “urgent” alert warning that an email phishing scam, targeting employees’ W-2 form information, “has evolved beyond the corporate world and is spreading to other sectors, including school districts, tribal organizations and nonprofits.”
Among the companies affected is Amplify, a New York City-based education technology company. The attack compromised personal information for anyone employed by Amplify during 2016, but not customers, including schools and students, the company reports.
In a memo sent to its employees earlier this month, the company said it first learned about the phishing attack on Feb. 3, a day after the incident took place. An Amplify employee received an email, purportedly from company CEO Larry Berger, requesting W-2 form data for the 2016 tax year. The payroll information that was transferred include “first and last name, address, social security number, wages, and withholding information.”
“Amplify was a victim of the widespread ‘Form W-2 email phishing scam,’ which has affected many companies and other types of organizations,” David Stevenson, Amplify’s Executive Vice President, wrote in an email to EdSurge. “Our security team confirmed that while the attack exposed personal employee information, it did not impact our corporate network, our product platform, or customer data.” The company says it is actively working with local law enforcement, the FBI and the IRS to investigate.
It’s unlikely that student data would be compromised in these incidents, says Jules Polonetsky, CEO of the Future of Privacy Forum. “The personnel systems that a HR or accounting manager would have access to should not be linked to production systems or systems that would serve or hold student data,” he tells EdSurge.
Edtech companies are not the only ones impacted. Snapchat fell for it last year, and so too have many school districts. Last week, a similar scam affected more than 7,700 employees at Manatee County School District in Tampa Bay, Fla. In that incident, the emails requesting the W-2 information came from someone pretending to be the district superintendent. Similar attacks have targeted districts in Arizona and Texas.
The typical strategy, warns the IRS, include “spoofing techniques to disguise an email to make it appear as if it is from an organization executive. The email is sent to an employee in the payroll or human resources departments, requesting a list of all employees and their Forms W-2.”
As with most suspicious emails, small typos, odd requests for help, and reply-to addresses that include unfamiliar email domains are warning flags. Be cautious of links, especially shortened ones; to be safe, mouse over the link to see where it’s going. And if there’s an email that raises the smallest inkling of doubt, call the sender to confirm.
While these tips may seem obvious, the prevalence of such incidents “shows that no matter how good your technical systems are, one employee being fooled can lead to data being shared,” says Polonetsky.