GROTON, Conn. (WTNH) — Groton police are investigating after they say a phishing scam compromised sensitive information belonging to some town employees.

On Thursday night, Chief Louis Fusaro with the Groton Police Department announced a data breach affecting Groton Public Schools.

“We are of course heartbroken and I just can’t tell you how disappointed I am that this occurred,” said Superintendent Dr. Michael Graner. He tells News8 the business manager for the school department has been placed on paid leave while this breach is investigated.

Police say someone pretending to be the superintendent sent an email requesting W-2s for school department staff. All 1,363 employees could be affected including Dr. Graner.

“When I say we are greatly disturbed by this I’m including myself,” Dr. Graner told reporters.

The IRS has warned about scams like this especially during tax time.

“I would caution that sometimes they can mask emails they can make it look like the email,” warned Deputy Chief Paul Gately of the Groton Police Department.

That’s why police say education is key. They say you should always click on and double check the email address and make a call to confirm a request like this before giving out personal information.

“They may try to set up accounts in your name,” said Deputy Chief Gately. “They may try to file a fictitious tax return in your name

so certainly you want to try to take steps to mitigate that issue.”

A very serious lesson learned.  The school department is offering employees credit monitoring services at no cost to them.

“When we finish the investigation I will certainly take appropriate action,” said Dr. Graner.

Members of the IRS were in town Friday afternoon to meet with school staff to let them know what they can do now to protect themselves.

The sensitive employee information had been “phished” in a scheme that Chief Fusaro compared to a national trend. The investigation is in “the preliminary stages,” Fusaro says, but he points to a release issued by the Internal Revenue Service in February, warning about a “Dangerous W-2 Phishing Scam Evolving; Targeting Schools, Restaurants, Hospitals, Tribal Groups, and Others.”

According to the IRS, cybercriminals disguise e-mails to look like they’re coming from in-house “using various spoofing techniques.” Payroll or human resources departments are targeted, and asked to provide a list of employees and their personal information, including their Forms W-2.

Chief Fusaro says police are working with the Board of Education and other agencies to “help mitigate any potential information breach and identify criminal actors who may have initiated this action.”

He also issued some of the following tips:

  • Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about PII, employees or other internal information.
  • If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
  • Do not provide personal information unless you are certain of a person’s authority to have the information.
  • Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
  • Don’t send sensitive information over the Internet before checking a website’s security.
  • Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
  • If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. .
  • Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic.
  • Take advantage of any anti-phishing features offered by your email client and web browser.