Posted in Cybersecurity
From would-be
Nigerian princes to foreign lottery officials, cybercriminals have been known
to assume all sorts of false identities to carry out email phishing scams that
trick unsuspecting consumers into clicking on fraudulent links or divulging
personal information to strangers.
We often see a spike in this type of
activity around tax season, when fraudsters target taxpayers in an attempt to
make off with their refunds. This year, however, the annual spike is looking
more like an epidemic as a variant affecting human resources departments has
begun to spread with a vengeance.
On March 1,
2016, the IRS issued an alert warning
“payroll and human resources professionals to beware of an emerging phishing
email scheme that purports to be from company executives and requests personal
information on employees.”
Less than a week later, on March 7, the Attorney General of North Carolina sounded a
similar alarm concerning the rise in phishing-related breaches, reporting that
“[i]n 2016, 26 phishing breaches have been reported by businesses and other
organizations with 16 of those reports coming within the past two weeks,
compared to eight phishing breaches reported in all of 2015.”
The scheme
typically begins with a “spoofing” email that appears to have been sent by a
company’s CEO or another high-ranking executive to one or more employees in the
human resources or payroll departments. In many cases, the sender’s email
address is a match, and the tone or style of the message is convincingly
similar to that of the individual who is supposed to have sent it. The email
contains a request that the recipient respond by sending the “CEO” certain
employee personal information, usually including Social Security numbers. The
email may ask specifically for W-2 forms, or may instead ask for a compilation
of employee data similar to what appears on tax documents of that nature. The
employee, accepting the request as legitimate, forwards the requested
information to the perpetrator.
Companies of all
sizes and across all industries have reported having received phishing emails
that fit this pattern. In late February, Snapchat announced publicly that it had
fallen victim to such a spoof. A Snapchat payroll department employee
received an email from “Snapchat CEO Evan Spiegel.” The cybercriminal imposter
requested payroll information on both current and former Snapchat employees.
The employee complied with the request, and the company’s payroll information
was obtained by the imposter. The incident was reported to the FBI within
hours.
To help avoid
a similar fate, organizations should warn their human resources and payroll
departments about this increasingly prevalent phishing scheme. Employees should
be reminded of privacy and security policies concerning the disclosure of
personal information, and advised that email requests for any type of sensitive
data should be confirmed as authentic through direct contact with the apparent
sender.
Unfortunately, the W-2 request variant isn’t the only
phishing email scam putting taxpayers at risk this season, and old-fashioned
IRS-impersonation phone hoaxes also remain an issue. You can review a compilation of IRS
alerts regarding these threats as well as further information on how to avoid tax fraud
generally on
the IRS’s website.
No comments:
Post a Comment