Earlier in 2016 there was an outbreak of business email compromise (BEC) attacks that targeted W-2 information. These types of attacks aren’t particularly difficult to pull off and can be quite lucrative for cyber criminals. After all, the information on a W-2 document is very valuable. In fact, as part of what the Darknet world calls a “fullz” that information can be worth $25-30 per record. A “fullz” includes a collection of information such as name, social security number, date of birth, account numbers, etc. So, if someone gets ahold of 3,000 W-2s, as what happened to the management company Goldkey/PHR in February, it can fetch quite a payoff. That’s why having processes in place to avoid having this happen at your organization is crucial.
BEC in its basic form is when an attacker impersonates an authority within an organization and convinces someone else in that organization to perform some action such as a wire transfer or to provide W-2 information. It is simple, but also incredibly effective. In the first half of the year, more than 70 organizations reported being victims of the W-2 BEC scams, including the Girl Scouts of Gulf Coast Florida, Snapchat, and Seagate. Losses are estimated to be $3 million over the past three years. What is perhaps even more disturbing than the costs, is that this is happening at all.
Employees should not have access to all of the sensitive data in a W-2 or payroll records without some sort of oversight before it can be shared…with anyone. It’s important to put controls in place so that if anyone asks for such information, it’s discussed and approved by multiple people. One of the questions that should be asked is “why does this person need this information?” Then it should be verified with the requestor via voice or some other way that does not include replying to the email request. While email and text are becoming more acceptable ways of communicating everything in any environment, voice interaction goes a long way to prevent scams such as these from being a huge success.
You might feel a bit insecure about asking someone who claims to be the CEO why he or she needs W-2 details, but if it’s legitimate that executive will appreciate the fact that you checked before giving it up to cyber criminals. Many victims of the W-2 fraud have reported being victims of tax fraud, which appears to be the target in these cases. The FBI has reported that the number of identified victims and exposes losses has increased 270% in the past year due to this type of BEC fraud.
© Copyright 2016 Stickley on Security