Posing as superintendent, imposter obtains tax forms of Groton school employees
Groton — Groton Public Schools suffered a major security breach Wednesday when an imposter sent an email posing as the superintendent of schools and obtained the W-2 forms of all district employees, Superintendent Michael Graner said.
Employees in the business office believed Graner was asking for the information and sent the W-2 forms of all 1,300 public school employees via email, Graner said. They then realized that he had not sent the request, Graner said.
“Whoever this is has all the information from the W-2 forms, which is, of course, a disaster,” he said Thursday.
The school department’s business office received the email asking for the information at about noon on Wednesday, Graner said. Although the sender pretended to be the superintendent, the email was not sent from Graner’s account, he said.
Multiple employees were involved in the breach, Graner said. After the email was sent, a woman in the business office commented to her husband that they’d had an unusual request, Graner explained. The husband works in cybersecurity for the government and said it didn’t sound right, Graner said. The school department then checked and realized that Graner had not sent the email.
“It wasn’t that the email account was hacked. She believed it was from me,” he said, adding, "It really raises the whole issue of making sure that we are implementing proper cybersecurity measures in the school district. That’s one obvious lesson that we’re learning in a painful way.”
Groton Town Police Chief Louis J. Fusaro Jr. said in a statement that police were contacted by the school district regarding the possible data breach. Detectives are working with the Board of Education and several other agencies on the investigation.
"While this investigation is in the preliminary stages, evidence suggests that information was provided through a Phishing scam," Fusaro said. "Groton Police advise the public to be cautions when providing any personally identifying information (PII) through e-mail or any other electronic means. Police also warn that there are several scams that the public should be aware of, including the deliberate targeting of public institutions.
On Jan. 25, the IRS, state tax agencies and the tax industry renewed a warning about an email scam that uses a corporate officer’s name to request employee W-2 forms from company payroll or human resources departments, according to an IRS news release.
The IRS already had been notified that the email scam was making its way across the country for a second time. It first appeared last year, the release said.
“Cybercriminals tricked payroll and human resource officials into disclosing employee names, (Social Security numbers) and income information. The thieves then attempted to file fraudulent tax returns for tax refunds,” the release said.
The scam, a version of “phishing,” is also known as a “spoofing” email, the release said. In one variation, the email contains the actual name of a chief executive officer, is sent to a payroll or human resource employee and requests a list of employees and information including Social Security numbers, the release said.
The spoofing email may ask for specifics, like “kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review,” the news release said.
On Feb. 2, the Internal Revenue Service issued an alert to all employers that the Form W-2 email phishing scam had evolved beyond the corporate world spreading to other sectors, including school districts, tribal organizations and nonprofits.
“This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme,’’ IRS Commissioner John Koskinen said in the warning.
The school department notified Groton Town Police, the IRS and the Connecticut office of the Attorney General, Graner said. Police and the FBI are investigating, he said.
The FBI told Graner that the agency suspected the email had come from overseas and been sent to hundreds, if not thousands of school districts, Graner said. He notified the state Department of Education and the Connecticut Association of Public School Superintendents, he said.
The school department also reported the incident to its insurance agent and arranged for the purchase of a credit monitoring plan to protect employees. The IRS is sending an agent to Groton to speak to all school employees at 3 p.m. and 4 p.m. Friday about what happened and how to safeguard their financial records, Graner said.
He had not determined Thursday what, if any, disciplinary action might be taken regarding the employees, as he was first concerned with handling the immediate aftermath of the breach, he said. But he said the school department must take additional steps not only in its business office, but across the school system to ensure cybersecurity.
Kim Watson, chairwoman of the Groton Board of Education, said she was grateful that "corrective action was taken immediately" after the breach was discovered. But she said the district will need to respond to what occurred and consider questions like how employees should handle email requests.
To avoid scams
Groton Town Police offer the following advice to avoid scams:
• Be suspicious of unsolicited phone calls, visits or email messages from individuals asking about personally identifiable information, employees or other internal information.
• If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
• Do not provide personal information unless you are certain of a person's authority to have the information.
• Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
• Don't send sensitive information over the Internet before checking a website's security.
• Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain, for example ending with .com instead of .net.
• If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.
• Install and maintain anti-virus software, firewalls and email filters to reduce some of this traffic.
• Take advantage of any anti-phishing features offered by your email client and web browser.
For additional information visit the Groton Town Police scam alert website, http://www.groton-ct.gov/depts/police/scam_alerts.asp, or the U.S. Computer Emergency Readiness Team's cyber awareness system page, https://www.us-cert.gov/ncas.