• Enterprise Risk Management
  • Insights

Don't Take the Bait: Defending Institutional Data From Phishing During the COVID-19 Pandemic

Alyssa Keehan, Esq.
May 2021
Strategies to keep your institution’s data secure

Between 2012 and June 2017, educational institutions publicly disclosed more than 200 data breaches. Nearly half of these incidents were the result of hacking, malware, or phishing. Now, during the COVID-19 pandemic, the IRS, FBI, and others allege that scams including phishing are on the rise. Phishing is a type of email attack in which a scammer attempts to obtain confidential information for malicious reasons by posing as a trustworthy entity. This is typically achieved by sending email messages with a forged sender address — a practice known as spoofing.

While educational institutions are common targets for phishing attacks, there are steps you can take to minimize the risk that the attack will be successful, reducing the likelihood of litigation.

Two United Educators (UE) claims highlight the risks associated with phishing-related data releases. An HR administrator received what she thought was a legitimate email from the university’s President, requesting the W-2 form of every employee. W-2 forms contain confidential personal information, including an employee’s name, mailing address, income, and Social Security number. The email header displayed the President’s name, although the actual sender’s email address was a few characters off. Unfortunately, the administrator sent unencrypted PDF files containing the W-2s of more than 1,300 current and former employees. An HR administrator at another institution responded to a similar email, compromising the sensitive information of approximately 3,000 employees.

Both of these successful phishing attacks resulted in numerous instances of identity theft, including fraudulent tax return filings, attempts to open credit card accounts, and an alleged attempt to open a mortgage in an employee’s name.

Keep Your Institution (and Data) Secure

Consider the following strategies to help your institution minimize the risk of a phisher taking your data:

  • Provide cybersecurity training, like UE's Data Security Learning Program, at least annually for employees with access to sensitive information. Train other employees periodically. It may be helpful to provide refresher training while your workforce is working from home during the pandemic.
  • Implement information-transfer protocols such as following up on email requests with a phone call to, or preferably, a face-to-face conversation with the person requesting the confidential information.
  • Spread awareness of these schemes. Consider warning university employees and/or students about known phishing attacks as soon as possible through appropriate email lists or social media.
  • Remind employees to watch for an increase in phishing requests just prior to tax season, and in relation to the COVID-19 pandemic.

Shortly after the two universities mentioned above notified employees of the data breaches, class action lawsuits were filed, alleging breach of contract, negligence, invasion of privacy, and unfair business practices. Since not all claimants actually suffered identity theft, the lawsuits allege damages based on the potential harm caused by the ongoing increased risk of identity theft enabled by the data breaches.

You Took the Bait. Now What?

If your institution does fall victim to a phishing attack, you can take these steps to minimize the impact and decrease the likelihood of litigation:

  • Notify those whose information has been released as soon as possible. Most states have compulsory data breach notification laws. The applicable requirements depend on the residence of affected employees, not just the institution’s home state. Be sure to follow all statutory requirements and work with experienced counsel when deciding how and to whom to give notice.
  • Consider providing credit monitoring services to affected employees and set up hotlines for concerned employees to call for assistance.
  • Inform appropriate law enforcement authorities of the crime, even if it is unlikely they can track down the fraudsters. State statutes allow institutions to delay notification if law enforcement determines it will impede the investigation.


More From UE

Protecting K-12 Student Data Privacy in a Changing Learning Environment (Insights)
Data Breach Prevention and Response: A Guide for Business Officers
Data Security Learning Program (Course Detail)

Additional Resources

IRS: Warning About COVID-Related Scams
FBI: News Alert Regarding Pandemic Scams
Federal Communications Commission: COVID-19 Consumer Warnings and Safety Tips
Centers for Disease Control and Prevention: COVID-19-Related Phone Scams and Phishing Attacks
Privacy Rights Clearinghouse: Chronology of Data Breaches