Just days after the IRS released its recent alert concerning W-2 phishing scams (which can be found here), the College of Southern Idaho (“CSI”) reported that it too has become a victim.
According to the IRS, this scam—which hit in force for the first time last year, and involves a spoofed e-mail, appearing to come from senior management asking for W-2 information—has evolved to target schools, restaurants, healthcare entities, and tribal casinos. Apparently, attackers have now also expanded their reach into higher education. This only makes sense, because—as CSI noted in its statement concerning the attack—higher education institutions can have a large number of employees, including “seasonal employees,” “community education instructors,” “dual credit instructors,” and “those who work for [. . .] auxiliary agencies.” The report of the CSI attack can be found here.
Indeed, because of the W-2-rich environment that higher education institutions create, they have long been the target of more traditional hacks involving malware. Case in point: Bradley University, which reported a malware-related PII data breach in 2015. As a result of that breach, a 41-year old Chicago man has recently pled guilty to conspiring to use PII obtained via the 2015 Bradley breach to file fraudulent tax returns and funnel the resulting refunds to third-party debit cards. The indictment can be found here.
The breach-related obligations of a higher education institution will depend upon its for-profit or not-for-profit status, the state where it is located, the states where its employees and students reside, and a host of other factors, including the type of information compromised and the attack vector used. Needless to say, even a W-2 phishing breach like the one reported by CSI—where there was no evidence of actual compromise of the school’s systems or stored data—is expensive, causes disruption, is harmful to the school’s reputation, and is a strong indicator that the school will be the target of attacks in the future. As noted in our prior post on these attacks, the best defenses to this type of scam are education and empowerment. Every employee should be incentivized to consider security as a very personal and extremely important responsibility. In the same way most of us are aware that no bank or IRS agent will ever ask for your SSN by phone or e-mail, entities should enact policies and spread the word that no executive will ask for W-2 information or other protected PII by e-mail alone.