Not all phishing attempts are spear-phishing for W-2 forms. The University of Idaho is notifying employees whose personal information was in an employee’s email account after the employee fell for a phishing attack.
From their notification:
On January 24, 2017, we detected that one of our accounts was being used to send phishing email. The email asked the employee to use their email account user name and password to sign-on to a website that appeared to be an Office 365 portal. The university immediately began an investigation and discovered that an unauthorized individual may have gained access to the employee’s email, including the messages stored in the account. Upon learning about the incident, the employee’s passwords were changed to prevent any further unauthorized access to their email account, and we expanded the investigation, retaining a leading computer security firm to assist us.
Our investigation determined that the employee’s email messages contained personal information for 257 individuals, including yourself. Your personal information included your name, address, and Social Security number. Even though we have no evidence that any of your information has been misused, we are notifying you so that you can take appropriate steps to protect yourself.
Unfortunately, they do not explain how their account was compromised to send the phishing email to the employee, but it sounds like this was a two-stage attack. And can you really blame the employee who followed the directions contained in an email that actually was from a university account?