REGIONAL- ISD 2142 fell prey to a common online phishing scheme on Feb. 4 when a scammer posing as Superintendent Reggie Engebritson used a fraudulent email to obtain the W-2 forms of 677 district employees.
Engebritson sent a letter to staff the same day, informing them of the data breach.
“Earlier today, a phishing scam targeted the W-2 information of all school district employees,” Engebritson wrote. “While the school district is in the process of investigating this situation, sensitive information contained in W-2s, such as Social Security numbers, has most likely been acquired by an unknown third party.”
The IRS first warned of the growing number of this type of phishing attack, targeting payroll departments of schools and businesses, in 2016. Known as a “spoofing” email, the fraudulent request for W-2 information appears to come from a company CEO, something Engebritson confirmed for ISD 2142 school board members at a working meeting on Feb. 9.
“You couldn’t tell in the email, but once the email was printed you can see the request came from me, supposedly,” Engebritson said.
Engebritson emphasized that no personal banking information was obtained in the data breach, and employees were given links to identity theft webpages for the IRS, Federal Trade Commission, and FBI.
Employees have been advised to monitor their credit reports and financial accounts as a precautionary measure, and Engebritson said that the district is working with an attorney, law enforcement, and its insurance carrier to address the breach.
“I have been working with an attorney who kind of specializes in this,” Engebritson said. “He is reaching out to the three credit bureaus to notify them. We did have insurance coverage, so we are working with our insurance company. In Minnesota, we’re only required (to provide employees with) one year of data monitoring, but we’re looking at the prices for two years.”
The attack was similar to one that fraudulently obtained the W-2s of several thousand Bloomington Public School employees in 2017. Hundreds of schools, universities, and businesses have also been scammed in recent years.
Individual risks
According to the IRS, the most common use of the illegally obtained W-2 data is the filing of fraudulent income tax returns seeking refunds. If a scammer files a fake return before an individual files their legitimate one, the IRS will notify that individual that their tax return has been rejected. Resolving the tax refund fraud can take up to a year.
However, as the number of taxpayers filing returns online has risen, so have IRS efforts to identify fake returns when they are filed and before any refunds are issued. The IRS analyzes electronic returns using 193 filters based on characteristics of confirmed identity theft tax returns, including amounts claimed for income and withholding, filing requirements, taxpayer age, and filing history, according to a 2019 interim inspector general’s report. In the first two months of 2019, 3,529 fraudulent refund returns were identified and 2,895 of them stopped before a refund was issued.
Another mechanism employed by the IRS to defeat fraudulent filings is for taxpayers to obtain a unique PIN number from the agency that is necessary to file returns online. Engebritson said that ISD 2142 employees have been given the instructions for getting an Identity Protection PIN, which are available online at https://www.irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin.
Another threat from the exposed data can be if someone uses a Social Security number and other personal information to obtain a job. The IRS may determine that a taxpayer has unreported income based on what was reported for the fraudulent employee, and it may also impact how Social Security benefits are calculated and managed.
Identity theft of all types resulted in nearly $17 billion lost in 2019 and affected one of every 20 consumers in the U.S., according to the credit agency Experian.