At least 500 state workers fell prey to a phishing scam on Thursday, and state officials say the tax records of as many as 50 employees were compromised.
An email with the subject line “IMPORTANT TAX RETURN DOCUMENT AVAILABLE” took unsuspecting state workers to a dummy login landing page that replicated the Department of Human Resources website. The email encouraged employees to click on a link to get access to W-2 information.
State workers who entered their user name and password were taken to a W-2 form with their name, address, social security number and bank account number.
The scammers could then view the personal information.
Richard Boes, commissioner of the Department of Information and Innovation, said his agency tries to educate people not to click on phishing attacks, but “this one was a little better than the other ones — it looked more professional.”
Boes said DII shut down all outside access to the system so that even if someone clicked on the link they wouldn’t go to the phishing site.
The phishing scam began hitting state workers’ email inboxes at 10:57 a.m. Thursday. Human Resources sent out a warning to state employees about the scam at 11:33 a.m., and a warning from the Department of Innovation and Information followed at 11:43 a.m. The warnings from DII were sent to select groups of state employees over the course of the day, some coming through at 3:38 p.m. All state workers were notified by DHR and DII on Friday morning, state officials say.
DII notified the Department of Human Resources “mid-day,” according to commissioner Maribeth Spellman.
“It’s one of those situations that sort of starts and people try to figure it out and put processes in place to figure out where it is coming from and informing them,” Spellman said.
The email came from a Comcast account, not a Vermont.gov account. The IP addresses could be from anywhere in the world.
The Vermont State Police have opened an investigation, according to Darwin Thompson, deputy commissioner of DII. The Vermont Attorney General has also been notified and DII and DHR have complied with requirements for breaches of confidential information, Spellman says.
Thompson says the security of state payroll and tax systems have not been compromised as a result of the phishing incident.
Spellman said her department and DII have been working around the clock to identify potential victims and provide them with information about identity fraud, tax fraud assistance and credit reporting agency information. The departments have also contacted Microsoft to determine how the phishing attack got through the state email system.
“We were receiving calls on the help desk, walking through how to change passwords,” Spellman said. “We also forced changed everyone’s password in the system.”
DHR has been working with the Tax Department to flag accounts that may have been compromised.
Spellman said sophisticated fraud operations are active between now and February when employers provide W-2s to workers.
Criminals may try to file for tax refunds in other states, Thompson said.
Doug Gibson, spokesman for the Vermont State Employees’ Association, said that the union encourages employees who clicked on the link to contact DHR.
“It’s an unfortunate occurrence and we’re working with the state to make sure that everyone is receiving the protections they need,” Gibson said.
The text of the phishing email follows.
From: [email protected] [mailto:[email protected]]
Sent: Thursday, January 21, 2016 10:58 AM
Subject: IMPORTANT TAX RETURN DOCUMENT AVAILABLE
Dear Account Owner, Our records indicate that you are enrolled in the Vermont State paperless W2 Program. As a result, you do not receive a paper W2 but instead receive e-mail notification that your online W2 (i.e. “paperless W2”) is prepared and ready for viewing. Your 2015 W2 corrected statement is ready for viewing, follow the link below Click Here to Login To opt out of the Paperless W2 Program, please login to Employee Self Service at the link above and go to the W2 Delivery Choice webpage and follow the instructions. Vermont State’s Human Resource Management Systems