A heads-up that it’s that season again, and the bad guys like to take advantage of it. Last year 41 major organizations were compromised by phishing attacks targeting employee tax records.
These attacks are essentially a more focused variant of phishing called “Spear Phishing”, and the goal is tax information that can be used to obtain fraudulent returns.
These types of attacks go after the trust relationships that exist within an organization. Some of them spoof the email address of the CEO or another person with authority. This tricks people into sharing personal data. For example, at Snapchat, a phishing email spoofed to look as if it came from the company CEO compromised payroll information (W-2) for both current and former employees.
Here's some example content from these e-mails:(1)
- “Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all of our company staff for a quick review.”
- “Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).”
- “I want you to send me copies of W-2 employees wage and tax statements for last year. I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”
We never want to disrupt trust between co-workers. But we can question requests for sensitive data no matter the source, and alert key members of our organizations if something feels suspicious.
(1) Example content from https://www.irs.gov/uac/newsroom/irs-alerts-payroll-and-hr-professionals-to-phishing-scheme-involving-w2s