The more things change, the more they stay the same, unfortunately. Paul Greene, an attorney at Harter Secrest & Emery, in a recent blog post mentioned a new IRS warning about the reappearance of phishing scams targeting W-2 information. Companies have lost thousands of dollars in email compromise attacks that first steal W-2s and then attempt wire transfer frauds.
This is nothing new, of course, with the IRS having issued the same form of warning around this time last year. But it is tax season and the scammers, fraudsters and hackers decided to get a jump on things this year.
In recent years, the criminals targeted corporations, but this year they are casting a wider net, potentially affecting schools, non-profits, restaurants, healthcare providers, and tribal organizations. This is a classic case of targeting organizations that may not have the best security, since they have not been victims in the past. Those organizations affected in recent years have hardened their defenses, but now the scammers are going after the next tier. They also may be going after the supply chain of some of the companies targeted in the past. After all it’s easier to attack a small service provider than to attack a large bank or manufacturing company.
The scammers first attempt to access W-2s and then request a wire transfer that looks legitimate. Unfortunately people are falling for it, partly because the requests look legitimate and partly because some organizations don’t have the proper security tools or procedures in place to thwart it. Once an organization falls victim to an attack, it’s game on. The hackers will keep attacking the organization unless they are stopped or until they get everything they can.
The best defense is to make employees aware of these scams and to implement technology that makes it difficult to steal the information. All PII and other sensitive information should be encrypted and protected with persistent security policies so that only authorized users can access it. If W-2 information were to leak through this scam, the scammers would have files with random data in them. Since they are not authorized users, they wouldn’t be able to read the information.
Organizations also need to teach their employees that security is everyone’s job. Just like you expect people to make sure the door locks when they leave, people need to understand that its their job to protect sensitive information in their care. Checks and balances are necessary to verify requests are legitimate and that you can trust the party on the other end. Technology helps in many cases, but you need to add good, old fashioned common sense too.
Photo credit Steven Depolo