Hackers will target anyone and anything, be that hospitals, the police, or other hackers. Even though the year is just getting started, schools have already faced a wave of phishing attacks designed to steal sensitive employee tax information, according to a consultancy focused on education and technology.
"There is a pretty unusual and unprecedented phishing attack targeting schools right now; it may have resulted in the disclosure of tens of thousands of educators' financial records (W-2s)," Doug Levin, the founder and president EdTech Strategies, told Motherboard in an email.
In a typical W-2 scam, hackers will send a spoofed email, pretending to be the CEO or someone else in a position of authority from the target's organization. They'll then ask the recipient, perhaps someone who handles the organization's payroll, to send a list of employees and their respective W-2 forms. Armed with these, the hackers can file fraudulent refund requests, and pocket the cash.
In a blog post, Levin has collated local media reports on over a dozen different schools being targeted by these sort of phishing scams in 2017. They include a case involving the School District of Manate County, Florida, in which hackers grabbed the names, addresses, wages, and Social Security numbers of more than 7,700 employees. A staffer from Davidson County Schools, North Carolina, recently handed over W-2 information for around 3,200 employees, and fraudsters also obtained details on 950 employees from the Mercedes Independent School District, Texas.
The wave of attacks hasn't fallen under the radar though. At the beginning of February, the Internal Revenue Service (IRS) warned that hackers were using W-2 scams against restaurants, hospitals, and schools. In some cases, scammers are also asking victims to wire transfer funds as well.
"This is one of the most dangerous email phishing scams we've seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone's help to turn the tide against this scheme,'' IRS Commissioner John Koskinen said in the announcement.
The attackers may have realized how easy of a target schools really are.
"My guess is the bad guys figured out how susceptible .edu email addresses are. Phishing can be tough for even sophisticated targets, but K-12 schools are definitely not that," Levin told Motherboard.
According to Dissent Doe, the pseudonymous administrator of breach monitoring website DataBreaches.net, she has already recorded "more [W-2 phishing attempts] so far this year than all of last year when it comes to K-12 schools."
"Of course, I'd qualify it all by saying did schools even detect it last year? We've already found two entities (not necessarily schools) that while investigating breaches this year found that they had also been phished successfully last year," she told Motherboard in a Twitter message.