A “spear phishing” scam has left 803 current and former employees of San Marcos, Texas, at risk of having confidential information stolen.
The scheme involved a San Marcos payroll department employee responding to a request for all city employees’ W-2 information on Feb. 22, Austin TV station KXAN reports. The request message was made to look like it came from someone in city hall, containing the address “@sanmarcostx.gov,” The information that the city employee unwittingly sent to the scammer contained employees’ names, addresses, social security numbers and earning information.
“Spear phishing emails are an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques,” San Marcos Acting City Manager Steve Parker said in an email to all city employees, per KXAN.
San Marcos leaders learned of the issue on March 13 when some city employees noted difficulties in filing their taxes with the Internal Revenue Service (IRS), Austin, Texas, TV station KVUE reports. In response to the scheme, San Marcos will give three years of identification monitoring, credit monitoring and identity theft protection services to employees that the incident affected, according to the Austin American-Statesman.
"Of course I was extremely concerned, because yes - my information was out there also. I'm very happy with the way that we have been on this and trying to prevent, and provide tools to make sure that people's identification is protected. It is a scary thing to have your information compromised," San Marcos Finance Director Heather Huriburt told KVUE.
San Marcos is also working with its cyber liability insurance policy provider to make sure the policy is being properly implemented, the American-Statesman reports. It has also notified the IRS, state taxing authorities and police of the incident.
IRS Commissioner John Koskinen has called phishing scams like this one the most dangerous the IRS has seen in some time, San Antonio TV station KSAT reports.
"We will continue making sure that our employees are aware,” Huriburt told KVUE. I know I've sat down with my employees, and reiterated - 'always take that 30-second step back when you look at something. If it seems like the information would not be something you normally send to that person, or you're receiving e-mails with attachments on them that's not from someone that you know, always take that second to step back and verify.”