When news of a data breach emerges, victims are warned about the potential for identity theft and related crimes. But every so often, the data breach is only discovered because identity theft has already happened. That was the case for Tidewater Community College (TCC), who had over three thousand employees’ complete employment profiles—with Social Security numbers, birthdates, and other identifiable information—accessed by an unauthorized person.

After a number of employees had filed their tax returns this year, only to be told by the IRS that a return had already been filed with their identifying information, the pieces of the puzzle began to fall into place. What had initially been thought of as a coincidence finally led to uncovering the crime.

Tidewater Community College had been the victim of a CEO phishing scam.

CEO phishing, also called “boss phishing,” occurs when someone sends an email that appears to come from the boss’ email account, requesting key information. This information could be employee records, customer credit card information, accounts numbers and passwords, or other sensitive data. In the case of TCC, someone masking as an executive requested the W2 forms for all of the college’s current and former employees; anyone who had received a W2 from the school for 2015 was affected.

There isn’t a lot you can do to keep your information from falling into the wrong hands if someone else falls for a CEO phishing scam. But there is plenty you can do towards keeping this growing threat from happening in your workplace. By raising awareness of the danger and by asking your company to make prevention part of the company’s computer use policy, you can help protect yourself, your co-workers, and your company’s customers.

The first step is to ensure that no sensitive information is passed along through the company—even to the CEO, as companies like Snapchat have fallen victim to emails that appeared to come from the founder himself—without verbal verification. If you receive an email telling you to send over sensitive information, just pick up the phone and confirm it. If the request was not authentic, then you would know that someone has compromised the company’s email system in order to spoof the CEO’s email address.

Second, make it a routine habit to only send sensitive information in a brand-new email instead of hitting reply. If the boss’ email was spoofed (copied instead of actually hacked), then clicking reply will send the information back to the scammer. This step won’t necessarily help if the scammer has actually hacked the supervisor’s email account, so make sure to get that verification first.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.