Post by conflict on Mar 18, 2016 4:36:39 GMT 4
From would-be Nigerian princes to foreign lottery officials,
cybercriminals have been known to assume all sorts of false
identities to carry out email phishing scams that trick
unsuspecting consumers into clicking on fraudulent links or
divulging personal information to strangers. We often see a spike
in this type of activity around tax season, when fraudsters target
taxpayers in an attempt to make off with their refunds. This year,
however, the annual spike is looking more like an epidemic as a
variant affecting human resources departments has begun to spread
with a vengeance.
On March 1, 2016, the IRS issued an alert warning "payroll
and human resources professionals to beware of an emerging phishing
email scheme that purports to be from company executives and
requests personal information on employees." Less than a week
later, on March 7, the Attorney General of North Carolina sounded
a similar alarm concerning the rise in phishing-related breaches,
reporting that "n 2016, 26 phishing breaches have been
reported by businesses and other organizations with 16 of those
reports coming within the past two weeks, compared to eight
phishing breaches reported in all of 2015."
The scheme typically begins with a
"spoofing" email that appears to have been sent by a
company's CEO or another high-ranking executive to one or more
employees in the human resources or payroll departments. In many
cases, the sender's email address is a match, and the tone or
style of the message is convincingly similar to that of the
individual who is supposed to have sent it. The email contains a
request that the recipient respond by sending the "CEO"
certain employee personal information, usually including Social
Security numbers. The email may ask specifically for W-2 forms, or
may instead ask for a compilation of employee data similar to what
appears on tax documents of that nature. The employee, accepting
the request as legitimate, forwards the requested information to
the perpetrator.
Companies of all sizes and across all industries have reported
having received phishing emails that fit this pattern. In late
February, Snapchat announced publicly that it had fallen
victim to such a spoof. A Snapchat payroll department
employee received an email from "Snapchat CEO Evan
Spiegel." The cybercriminal imposter requested payroll
information on both current and former Snapchat employees. The
employee complied with the request, and the company's payroll
information was obtained by the imposter. The incident was reported
to the FBI within hours.
To help avoid a similar fate, organizations should warn their
human resources and payroll departments about this increasingly
prevalent phishing scheme. Employees should be reminded of privacy
and security policies concerning the disclosure of personal
information, and advised that email requests for any type of
sensitive data should be confirmed as authentic through direct
contact with the apparent sender.
Unfortunately, the W-2 request variant isn't the only
phishing email scam putting taxpayers at risk this season, and
old-fashioned IRS-impersonation phone hoaxes also remain an issue.
You can review a compilation of IRS alerts regarding these
threats as well as further information on how to avoid tax fraud
generally on the IRS's website.