The Internal Revenue Service has warned school business officials to beware of a phishing scam targeting schools’ payroll or human resource departments, in an effort to have them release employees’ confidential information, according to the Association of School Business Officials International.
The scam, which seeks employees’ confidential information, has already victimized more than 20 school districts in more than a dozen states, according to EdTech Strategies, a consulting firm that has been tracking publicly reported instances.
At least one prominent ed-tech company, New York City-based Amplify, was also affected, according to a report in EdSurge.
The business officials’ association alerted members to the scam in the notice on its website. Besides schools, the scammers are targeting tribal organizations, nonprofits, and other employers, the association indicated in its announcement to members, quoting from the IRS notification.
Phishing scams are a form of fraudulent email communications with the goal of tricking recipients into revealing personal information. Last year, more than 55 companies fell victim to a similar scam during tax season, according to Info Security.
The IRS reports the scam relies on a phishing email “that uses a corporate officer’s name to request employee Forms W-2 from company payroll or human resources departments,” according to ASBO, which advised its members to “ensure all HR/payroll officials double check any executive-level or unusual requests for lists of Forms W-2 or Social Security numbers from their organization.”
School administrators are no strangers to scams, which can have big financial and privacy implications for schools. Education Week recently reported on a series of ransomware cyberattacks in districts, in which administrators must decide whether to pay a ransom to have malware removed from their computer systems. And two years ago, I wrote about scammers targeting schools with bogus math textbook invoices. John Musso, ASBO’s executive director, said in an interview that reports of fake invoices still arise, and are shared by his organization.
Even so, the W-2 phishing scam surprised him, he said. “These scammers are getting so smart and so devious that it’s hard to tell what they’re going to come out with next.”
This story was updated with additional information provided by Benjamin Herold.
- Security, Cybersecurity Lead K-12 Purchasing Categories
- Cyber Insurance Emerges as Districts Guard Against Data Privacy Risks
- Ransomware Attacks Force Districts to Either Shore Up—or Pay Up
- Scammers Target Nation’s Schools With Bogus Math Textbook Invoices