Blog

Tag: Harter Secrest & Emery

Say NO to Stealing Sensitive Information by PhishingJust a few days after the IRS released it’s warning about W-2 phishing, it appears the College of Southern Idaho (CSI) reported that 3,000 employees’ personal information may have been compromised by a phishing scam.

The attackers are now expanding their sights into higher education according to a recent article by Paul Greene, an attorney at Harter Secrest & Emery.  Given the large number of employees, including seasonal employees, community education instructors and people who work for auxiliary agencies, these institutions are great sources of sensitive information and money.  In this case, someone impersonating a CSI administrator sent an email to an employee requesting W-2 information for all school employees over the past two years.

This type of data breach can be very expensive, cause disruption in the organization, harm the school’s reputation, and is a strong indicator that the school will be the target of future attacks.  It also sets up other higher education institutions as potential targets for other phishing scams.

Unfortunately phishing can even hit organizations sensitized to these scams.  A case in point is something that happened to me this week.  I got an email from someone in my company asking for my help.  I responded asking what I could do and through a series of emails the person asked me to help them send some money using Western Union.  At that point I got suspicious and wanted to see how far this went.  I asked them where they wanted to send it and if we could speak.  At that point the spammer said they couldn’t speak but asked me to send $750.  Needless to say I didn’t respond, but had noticed the return emails changed each time I replied.  And the email addresses were not from anyone in my company.

The best defense against these scams and the data breaches they may cause is to make employees aware of them and to implement technology that makes it difficult to steal the information.  All PII and other sensitive information should be encrypted and protected with persistent security policies so that only authorized users can access them.  If W-2 or other PII were to leak through this scam, the recipients would have useless files with random data in them.  No accessible data, no data breach.

If your employees are unaware of good data security practices, teach them.  No executive should ever ask for W-2 information or other PII by email.  They have a responsibility as does any employee to protect this sensitive information from unauthorized access.  Checks and balances are necessary to verify requests are legitimate and that you can trust the party on the other end.  Technology can help ensure that sensitive data can’t get out, but employees must be taught good data stewardship practices before they become victims.

 

Photo credit Jim Pennucci

How to Fight the Latest Phishing ScamsThe more things change, the more they stay the same, unfortunately.  Paul Greene, an attorney at Harter Secrest & Emery, in a recent blog post mentioned a new IRS warning about the reappearance of phishing scams targeting W-2 information.  Companies have lost thousands of dollars in email compromise attacks that first steal W-2s and then attempt wire transfer frauds.

This is nothing new, of course, with the IRS having issued the same form of warning around this time last year.  But it is tax season and the scammers, fraudsters and hackers decided to get a jump on things this year.

In recent years, the criminals targeted corporations, but this year they are casting a wider net, potentially affecting schools, non-profits, restaurants, healthcare providers, and tribal organizations.  This is a classic case of targeting organizations that may not have the best security, since they have not been victims in the past.  Those organizations affected in recent years have hardened their defenses, but now the scammers are going after the next tier.  They also may be going after the supply chain of some of the companies targeted in the past.  After all it’s easier to attack a small service provider than to attack a large bank or manufacturing company.

The scammers first attempt to access W-2s and then request a wire transfer that looks legitimate.  Unfortunately people are falling for it, partly because the requests look legitimate and partly because some organizations don’t have the proper security tools or procedures in place to thwart it.  Once an organization falls victim to an attack, it’s game on.  The hackers will keep attacking the organization unless they are stopped or until they get everything they can.

The best defense is to make employees aware of these scams and to implement technology that makes it difficult to steal the information.  All PII and other sensitive information should be encrypted and protected with persistent security policies so that only authorized users can access it.  If W-2 information were to leak through this scam, the scammers would have files with random data in them.  Since they are not authorized users, they wouldn’t be able to read the information.

Organizations also need to teach their employees that security is everyone’s job.  Just like you expect people to make sure the door locks when they leave, people need to understand that its their job to protect sensitive information in their care.  Checks and balances are necessary to verify requests are legitimate and that you can trust the party on the other end.  Technology helps in many cases, but you need to add good, old fashioned common sense too.

 

Photo credit Steven Depolo

Categories
Book a meeting