CHICAGO (CBS) — Tax scammers may be targeting you at work. It’s a growing sophisticated email scam to steal your identity and to use your information to get bogus tax refunds.

2 Investigator Dave Savini spoke with the mayor of one local community that was hit hard.

“In my view, it’s the equivalent of coming over and breaking into somebody’s house,” Batavia Mayor Jeff Schielke said.

In the cozy river city of Batavia, cyber criminals stole city hall records containing sensitive and personal information of its firefighters, police officers and other workers at city hall —
even Schielke’s personal information was taken. A little over 200 employees were affected in all.

“They got scammed. They got phished, their personal information was phished,” Schielke said.

They were compromised in one of the fastest growing scams to sweep the nation. Called “spearfishing,” it specifically targets government or corporate employees who manage payroll and W2’s in order to steal people’s identities.

In Batavia, the cyber thieves created a fake email, posing as city administrator Laura Newman. They then requested a finance department employee to send all city payroll records to the bogus email, gathering enough information to allow them to file fraudulent tax returns.

“Well, you are almost hurt because, you know, it’s the people that work for you, and they’ve been endangered now by some criminal action,” Schielke said, describing how he felt when he found out.

Steve Bernas with the Better Business Bureau says this kind of scam saw an 870 percent increase last year.

“The keys to the kingdom — they have everything,” he said. “They have social security numbers, the salary information, all the confidential, private addresses, names and things of that nature.”

Mayor Schielke says he’s hopeful the damage will be limited because they caught it fast and the feds are now involved. “The message we want to send here is that there is an active, ongoing investigation involving multiple agencies.”

Any time private data is requested by e-mail, do not reply. Instead, look up the person’s contact information in another way and reach out to verify the request is legitimate. This hold true for any phishing scam.