Just a few days after the IRS released it’s warning about W-2 phishing, it appears the College of Southern Idaho (CSI) reported that 3,000 employees’ personal information may have been compromised by a phishing scam.
The attackers are now expanding their sights into higher education according to a recent article by Paul Greene, an attorney at Harter Secrest & Emery. Given the large number of employees, including seasonal employees, community education instructors and people who work for auxiliary agencies, these institutions are great sources of sensitive information and money. In this case, someone impersonating a CSI administrator sent an email to an employee requesting W-2 information for all school employees over the past two years.
This type of data breach can be very expensive, cause disruption in the organization, harm the school’s reputation, and is a strong indicator that the school will be the target of future attacks. It also sets up other higher education institutions as potential targets for other phishing scams.
Unfortunately phishing can even hit organizations sensitized to these scams. A case in point is something that happened to me this week. I got an email from someone in my company asking for my help. I responded asking what I could do and through a series of emails the person asked me to help them send some money using Western Union. At that point I got suspicious and wanted to see how far this went. I asked them where they wanted to send it and if we could speak. At that point the spammer said they couldn’t speak but asked me to send $750. Needless to say I didn’t respond, but had noticed the return emails changed each time I replied. And the email addresses were not from anyone in my company.
The best defense against these scams and the data breaches they may cause is to make employees aware of them and to implement technology that makes it difficult to steal the information. All PII and other sensitive information should be encrypted and protected with persistent security policies so that only authorized users can access them. If W-2 or other PII were to leak through this scam, the recipients would have useless files with random data in them. No accessible data, no data breach.
If your employees are unaware of good data security practices, teach them. No executive should ever ask for W-2 information or other PII by email. They have a responsibility as does any employee to protect this sensitive information from unauthorized access. Checks and balances are necessary to verify requests are legitimate and that you can trust the party on the other end. Technology can help ensure that sensitive data can’t get out, but employees must be taught good data stewardship practices before they become victims.
Photo credit Jim Pennucci