State workers’ W-2 info compromised in phishing scam

At least 500 state workers fell prey to a phishing scam on Thursday, and state officials say the tax records of as many as 50 employees were compromised.

An email with the subject line “IMPORTANT TAX RETURN DOCUMENT AVAILABLE” took unsuspecting state workers to a dummy login landing page that replicated the Department of Human Resources website. The email encouraged employees to click on a link to get access to W-2 information.

State workers who entered their user name and password were taken to a W-2 form with their name, address, social security number and bank account number.

The scammers could then view the personal information.

Richard Boes, commissioner of the Department of Information and Innovation, said his agency tries to educate people not to click on phishing attacks, but “this one was a little better than the other ones — it looked more professional.”

Boes said DII shut down all outside access to the system so that even if someone clicked on the link they wouldn’t go to the phishing site.

The phishing scam began hitting state workers’ email inboxes at 10:57 a.m. Thursday. Human Resources sent out a warning to state employees about the scam at 11:33 a.m., and a warning from the Department of Innovation and Information followed at 11:43 a.m. The warnings from DII were sent to select groups of state employees over the course of the day, some coming through at 3:38 p.m. All state workers were notified by DHR and DII on Friday morning, state officials say.

DII notified the Department of Human Resources “mid-day,” according to commissioner Maribeth Spellman.

“It’s one of those situations that sort of starts and people try to figure it out and put processes in place to figure out where it is coming from and informing them,” Spellman said.

The email came from a Comcast account, not a account. The IP addresses could be from anywhere in the world.

The Vermont State Police have opened an investigation, according to Darwin Thompson, deputy commissioner of DII. The Vermont Attorney General has also been notified and DII and DHR have complied with requirements for breaches of confidential information, Spellman says.

Thompson says the security of state payroll and tax systems have not been compromised as a result of the phishing incident.

Spellman said her department and DII have been working around the clock to identify potential victims and provide them with information about identity fraud, tax fraud assistance and credit reporting agency information. The departments have also contacted Microsoft to determine how the phishing attack got through the state email system.

“We were receiving calls on the help desk, walking through how to change passwords,” Spellman said. “We also forced changed everyone’s password in the system.”

DHR has been working with the Tax Department to flag accounts that may have been compromised.

Spellman said sophisticated fraud operations are active between now and February when employers provide W-2s to workers.

Criminals may try to file for tax refunds in other states, Thompson said.

Doug Gibson, spokesman for the Vermont State Employees’ Association, said that the union encourages employees who clicked on the link to contact DHR.

“It’s an unfortunate occurrence and we’re working with the state to make sure that everyone is receiving the protections they need,” Gibson said.

The text of the phishing email follows.

From: [email protected] [mailto:[email protected]] 
Sent: Thursday, January 21, 2016 10:58 AM
Dear Account Owner,

Our records indicate that you are enrolled in the Vermont State paperless W2 Program. As a result, you do not receive a paper W2 but instead receive e-mail notification that your online W2 (i.e. “paperless W2”) is prepared and ready for viewing.

Your 2015 W2 corrected statement is ready for viewing, follow the link below

Click Here to Login

To opt out of  the Paperless W2 Program, please login to Employee Self Service at the link above and go to the W2 Delivery Choice webpage and follow the instructions. 

Vermont State’s Human Resource Management Systems

Anne Galloway

Comment Policy requires that all commenters identify themselves by their authentic first and last names. Initials, pseudonyms or screen names are not permissible.

No personal harrassment, abuse, or hate speech is permitted. Be succinct and to the point. Comments should be 1000 characters or fewer. If your comment is over 500 words, consider sending a commentary instead.

We personally review and moderate every comment that is posted here. This takes a lot of time; please consider donating to keep the conversation productive and informative.

The purpose of this policy is to encourage a civil discourse among readers who are willing to stand behind their identities and their comments. VTDigger has created a safe zone for readers who wish to engage in a thoughtful discussion on a range of subjects. We hope you join the conversation. If you have questions or concerns about our commenting platform, please review our Commenting FAQ.

Privacy policy
Thanks for reporting an error with the story, "State workers’ W-2 info compromised in phishing scam"