BATAVIA – Following a successful phishing attempt that accessed the confidential information of city of Batavia employees, council members and others, City Administrator Laura Newman said additional preventive training is planned.
At the end of January, an employee received an email that appeared to come from Newman requesting all of the 2017 W-2 information, Newman said of the incident.
"The employee responded, believing it to be a legitimate request," Newman stated in an email. "It was after the information was sent that the employee questioned its legitimacy."
The breach revealed names, Social Security numbers, addresses and earnings, according to the city.
Phishing, which is accomplished via electronic communication, tries to access sensitive information such as usernames, passwords and financial details by pretending to be from a genuine party.
Darren Guccione, a cybersecurity expert who is CEO and co-founder of Keeper Security in Illinois, said the Batavia incident reflects a typical and convincing ploy.
"Because it is tax season, things get crazier," he said. "There will be a lot more phishing. Don't be surprised. I've received two already. [With] the Equifax breach, there was so much information released. It's out there on the dark web being monetized. You have to be vigilant and set up … a credit monitoring service with all three [credit] bureaus: TransUnion, Equifax and Experian."
He said in the case of Batavia's W-2s, it's likely that hackers might take the information and file fraudulent tax returns and steal the refunds.
"This is very common," Guccione said of stolen tax refunds last year. "My recommendation is [to] contact [authorities] and the three credit bureaus and put a credit watch on all of the Social Security numbers. Try to file [your] tax return as early as possible if you have all the information you need."
He said phishing is the number one way to steal information from a company because it is simple to execute. Companies should run phishing simulations and tests with their employees, he said, noting the best way to beat the problem is to educate staffers on phishing attacks.
Guccione, an engineer who pursued finance and became a certified public accountant, also warns people not to be fooled by telephone or email scams.
He said the IRS … does not call or email asking for tax returns or personal information or threaten arrest if money is not forthcoming through a credit card.
In light of the theft of information, the city of Batavia will examine its policies to determine if they need to be updated, Newman said.
"We have provided cybersecurity training within the last two years and regularly send test emails to employees," she said. "However, in response to this security incident, there will be training for all employees [on] how to avoid falling for phishing schemes as well as the other various techniques that people use to gain access to private information."
Guccione's international software firm, known for its password manager and digital vault services, generates random, high-strength passwords for an individual or business' websites and apps. He said too often people keep track of their passwords on sticky notes or lists, frequently using weak passwords. He said criminals keep a dictionary of the most commonly used ones. And about 65 percent of people use the same password on multiple websites, so if a hacker gains access to one account, they can replicate it with the others.