“Phishing” is a type of malicious cyber tactic used to acquire sensitive online user information such as credit card details, social security numbers, usernames, or passwords by impersonating a trusted entity.
Although it seems like common knowledge to never divulge your personal details and sensitive information on the internet, BEC (Business Email Compromise) attacks have been wreaking havoc on numerous business organizations since the beginning of the 2016 by coercively collecting W-2 tax data for the likely objective of filing fraudulent tax returns.
Depending on the depth and scope of the breach, W-2 data accessed could include some or all of an individual’s name, home address, withholding information, salary information, and Social Security Number. This presents a serious issue. If a fraudulent tax return is filed successfully, than the individual whose identity was stolen will not receive the funds for the return that they are due and will will not be able to pay the IRS what is owed in taxes.
Commentary From the IRS
On March 1, 2016 the IRS issued an alert to HR and payroll professionals underlining the potential damages to business information security with the following message among its recent awareness campaign:
“This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments,” said IRS Commissioner John Koskinen. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”Because of the deceptive nature of a Business Email Compromise (BEC), the most effective way to stop the attack is to identify it.
Identifying Phishing Messages
One of the largest problems in identifying phishing attacks is that it requires significant discernment on the part of the employee. Questioning an executive’s motives regarding the W-2 data requests does not come second nature to most employees. In many cases, the phishing emails are very shrewd and deliberate. The instigators are very adept at “spoofing” (forging) professional and seemingly authentic emails with believable requests such as ones outlined by the awareness campaign launched by the IRS:
- “Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
- “Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).”
- “I want you to send me the list of W-2 copy of all employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”
Phishing attacks have the potential to affect organizations of all sizes, making it a national concern. According to the IRS, “The emails are designed to trick taxpayers into thinking these are official communications from the IRS or others in the tax industry, including tax software companies. The phishing schemes can ask taxpayers about a wide range of topics. E-mails can seek information related to refunds, filing status, confirming personal information, ordering transcripts and verifying PIN information.” (2016)
Corporate Phishing Attacks in 2016
The Months of February and March were especially damaging to internal W-2 information of these organizations. One factor that was universal across the board for these attacks was that they were a Business Email Compromise phishing attack that impersonated an executive of the organization, giving the infiltrator access to detailed sensitive W-2 data.
Retaliating Against Business Email Compromises
Potential Business Email Compromises aren’t susceptible to anti-virus and cybersecurity software because technology alone will not stop this phenomena. Someone has to willingly provide the sensitive information to the impersonating Phisher.
The only thing that will combat the rising tide of BEC’s is the empowerment of the employee in questioning and authenticating legitimate information requests by senior employees. Organizations will need to be proactive in providing awareness training to employees so they do not continue the mistakes made by the previously targeted businesses.
Contact the Business Benefits Group to Learn More
Having the personal information of your employees is a serious issue and organizations should take all measures possible in order to avoid the negative effects of these attacks. For more information on BEC attacks or to learn about how BBG’s business insurance services can protect the best interests of your business – call us directly or contact us online to request more information.