Don't Take the Bait: Defending Data From Phishing

June 06, 2018

Between 2012 and June 2017, educational institutions publicly disclosed more than 200 data breaches. Nearly half of these incidents were the result of hacking, malware, or phishing. Phishing is an email attack in which a scammer poses as a trustworthy entity in an attempt to obtain confidential information. This is typically achieved by sending email messages with a forged sender address—a practice known as spoofing.

Two recent United Educators claims highlight the risks associated with phishing-related data releases. An HR administrator received what she thought was a legitimate email from the university’s president, requesting the W-2 form of every employee. The email header showed the president’s name, although the actual sender’s email address was a few characters off. Unfortunately, the administrator sent unencrypted PDF files containing the W-2s of more than 1,300 current and former employees. An HR administrator at another institution responded to a similar email, compromising the sensitive information of approximately 3,000 employees.

Both of these phishing attacks resulted in numerous instances of identity theft, including fraudulent tax return filings, attempts to open credit card accounts, and an alleged attempt to open a mortgage in an employee’s name.


Keeping Your Institution (and Data) Off the Hook

Consider the following strategies to help your institution minimize the risk of a phisher rowing away with your data:

  • Provide annual cybersecurity training for employees with access to sensitive information and train all employees periodically.
  • Implement information-transfer protocols such as following up on email requests with a phone call to, or preferably, a face-to-face conversation with the person requesting the confidential information.
  • Spread awareness of these schemes. Consider warning university employees and/or students about known phishing attacks as soon as possible through appropriate email lists or social media.
  • Remind employees to watch for an increase in phishing requests when tax season approaches.

Shortly after the two universities mentioned above notified employees of the data breaches, class action lawsuits were filed, alleging breach of contract, negligence, invasion of privacy, and unfair business practices. Since not all claimants suffered identity theft, the lawsuits allege damages based on the potential harm caused by the ongoing increased risk of identity theft.


You Took the Bait. Now What?

If your institution does fall victim to a phishing attack, you can take the following steps to minimize the impact and decrease the likelihood of litigation:

  • Notify those whose information has been released as soon as possible. Most states have compulsory data breach notification laws. Requirements depend on the residence of affected employees, not just the institution’s home state. Be sure to follow all statutory requirements and work with experienced counsel when deciding how and to whom to give notice.
  • Consider providing credit monitoring services to affected employees and set up hotlines for concerned employees to call for assistance.
  • Inform appropriate law enforcement authorities of the crime, even if it is unlikely they can track down the fraudsters. State statutes allow institutions to delay notification if law enforcement determines it will impede the investigation.