Spear Phishing Attack Exposes Tax Information of 3,000 Community College Employees

tcc-phishing-irsIt seems the string of W-2 scams isn't slowing down. A new report details another attack that targets tax information, this time on Tidewater Community College (TCC). The Norfolk, Virginia-based college shared in a post that tax information of over 3,000 of its employees were affected, referring to “current and former full-time, part-time wage, adjunct and student employees”.

This means that anyone who received taxable income from the institution in 2015 may have had their information exposed. According to the TCC post, the attack compromised personal information that included names, employee number, Social Security number, federal wages and tax, social security wages and tax, state wages and tax, and even deductions for health insurance, retirement funds and dependent care. However, TCC noted that the stolen data does not include addresses, dates of birth, spouse information, email addresses and banking credentials.

TCC Public Information Officer Marian Anderfuren shared that investigations began after the IRS notified several employees that a tax return had already been filed using their Social Security numbers. It was later discovered that on March 2, 2016, an email was sent by an employee to an unknown recipient that seemed to have come from a legitimate TCC account. It was then identified that the request was a ruse and that the file containing the employee tax information was sent to a cybercriminal-controlled account—a classic spear-phishing attack tactic. 

[Read: How a Business Email Compromise scheme works]

Barely a week ago, the same kind of tactic was used by perpetrators behind the breach of a Virginia-based supermarket chain, Sprouts Farmers Market. An email message masked as an executive’s request duped a payroll department employee into sending 2015 W-2 statements to a fraudulent account, thus exposing the tax information of over 21,000 employees. In the past month or so, Seagate and Snapchat were also added to the long line of corporations tricked by similar phishing attacks.

An analysis spanning a decade of data breaches that impacted the U.S. puts the education sector as the second most affected industry by this kind of attack—accounting for 17% of all recorded cases. However, the more important question to ask would be: where does the stolen data go?

Phishing attacks and Business Email Compromise (BEC) scams are normally designed to con a target to wire money out of a targeted company to a cybercriminal-controlled account. However, the recent incidents also show how valuable tax information and employee PII could be to an attacker.

Anderfuren shared, "This affects everyone from the President on down. This is an anxious time of the year to start with because it's tax filing season and this adds another layer of anxiety to what folks are already dealing with. We're very sensitive to that and, of course, sensitive to it because we are feeling it ourselves."

In a separate statement directed to the college’s employees, TCC President Edna Kolovani confirmed that the IRS has notified at least 15 employees that a return had already been filed using their Social Security numbers.

The stolen data—whether in the form of medical records or tax information—is a valuable underground commodity. Besides having value as a product that can be sold in underground markets, the data can also be used to stage future attacks.

In a consumer alert posted earlier this year, the IRS has warned the public of a 400% uptick of IRS scam cases reported this year—a significant growth from last year. In fact, from January to February alone, 1,389 incidents have already been reported, more than of the 2,748 total incidents reported throughout 2015. Apart from users and organizations, it was then reported that tax professionals were also targeted by the same techniques in an attempt to steal IRS service credentials. In a statement, IRS Commissioner John Koskinen said, “Watch out for fraudsters slipping these official-looking emails into inboxes, trying to confuse people at the very time they work on their taxes. We urge people not to click on these emails.”

[Read: A closer look at IRS scammers]

As the TCC notice says, “No amount of technology will prevent phishing, spearphishing or other kinds of attempted electronic fraud. The old saying, “Look before you leap,” applies here.

Officials of the TCC are currently working closely with the authorities to pin down the source of the attack. Further, a directive was issued to hold advanced cybersecurity training for employees who handle highly sensitive data.  The affected employees will be provided with free credit monitoring services, and a dedicated hotline has been set up for employees who may be affected by the breach.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.