500 state workers fall victim to phishing scam, tax records stolen

If you’re a state worker and you receive an email from a .comcast address with the subject line “IMPORTANT TAX RETURN DOCUMENT AVAILABLE”, you’d ignore it, right?

Unfortunately, not all would.

Roughly 500 Wisconsin state employees fell for a phishing scam last Thursday in which tax records of as many as 50 employees were compromised.

The scam was rather basic. The bogus email directed its victims to a bogus landing page that replicated the Department of Human Resources website and encouraged them to click on a link that would enable them to access W-2 information.

Those that fell for the scam were then taken to a W-2 form with their name, address, Social Security number, and bank account number – which was all visible to whoever operated the scam.

“Looked more professional…”

Richard Boes, commissioner of the Department of Information and Innovation, said his agency tries to educate people not to click on phishing attacks, but “this one was a little better than the other ones — it looked more professional.”

Personally, I don’t find the below very professional:

From: ESSW2@vermont [mailto:2015w2-3@comcast.net] 
Sent: Thursday, January 21, 2016 10:58 AM

Dear Account Owner,

Our records indicate that you are enrolled in the Vermont State paperless W2 Program. As a result, you do not receive a paper W2 but instead receive e-mail notification that your online W2 (i.e. “paperless W2”) is prepared and ready for viewing.

Your 2015 W2 corrected statement is ready for viewing, follow the link below

Click Here to Login

To opt out of  the Paperless W2 Program, please login to Employee Self Service at the link above and go to the W2 Delivery Choice webpage and follow the instructions. 

Vermont State’s Human Resource Management Systems

Don’t just train, test.

Training your staff to be aware of phishing is a must, but you need to ensure that your training has had the desired effect, and this is where IT Governance comes in. Our Simulated Phishing Attack service is exactly what you’d expect it to be. For just $765, IT Governance will run a sophisticated simulation of a phishing attack on your employees to test their ability to identify and avoid a phishing scam.

You can find out more about this service here.


Share now…

Share on Twitter Share on Facebook Share on LinkedIn