Phishing for W-2s

Recently, companies have been receiving requests to send a copy of their W-2s as part of a phishing scheme. How would your organization respond?

phishing money
Credit: Tax Credits

It’s late in the day on a Friday and an email just landed in your payroll administrator’s inbox. “I want you to send me a digital copy of the W-2s for our employees in one PDF folder asap.” The email was sent by the president of your company.

Sound far-fetched? A number of companies have fallen for this phishing scam already over 40 of which are named by CSO.. This list is not complete and it will continue to grow as I know of similar, non-published breaches. The scam is so pervasive that the IRS published a bulletin regarding this scheme on March 1.

Is your organization ready?

If a similar email arrived in your organization, what would be the reaction? After all, everyone wants to please the CEO especially when those four dreaded letter appear with the request, “ASAP.”

Phishing attempts, and social engineering in general, are getting more sophisticated. As users, as we rely on electronic means to rapidly transfer information. We assume that our systems also root out the evil doer's requests. Unfortunately, most users have not yet learned that we cannot rely on technology alone.

Over the past year, a number of my clients have stepped up their phishing awareness campaigns. Many of them have implemented an internal program to test employees’ responses to mock phishing emails. When someone follows a link or responds to one of these test emails, they receive an email or a call from the cybersecurity team just to remind them to be more careful and suggest resources on detecting phishing attempts.

This, however, is still not be a complete approach to prevent phishing-related data breaches. Whenever there is a non-routine request for an organization to release any non-public information, there are some old-school, common sense approaches that can be taken.

Going old school for a quick remedy

Let’s revisit the initial scenario where it seems the CEO requested all the W-2s asap. A phishing attempt would easily be prevented if the recipient of the request contacted the CEO (or an assistant) to verify the request.

That doesn’t mean contacting them via email. It means picking up the phone or asking face-to-face. Using any medium other than email will work (even a text message) allowing verification through a separate channel that the request is valid or quickly reveal a phishing attempt.

There are downsides to this approach. Some employees may become stressed at the thought of questioning a senior executive. If this is a valid request, the response to the CEO may be delayed. Depending how accessible the executives are, this approach may require them to reveal some contact information that they prefer to keep confidential.

There is another, slightly more bureaucratic approach that can be taken from financial operations.

Try requiring dual signatures

When some organizations enter large contracts or write large checks, two signatures are required. Given the potential financial and reputation damage that the loss of personal information may cause an organization, why not put the same requirement on the non-routine release of personal information.

Given our original phishing scenario, the payroll administrator would require a second authorization, a second signature if you will, which included the original email prior to sending fulfilling the request for W-2s. I would recommend that there be limits to who could provide the second signature such as an appropriate executive or someone who would be in a position to check with the original requester if necessary,

If the second signature cannot be obtained, the information is not provided.

Phishing is getting easier

I remember doing research without the internet. Trudging down to the library to spend hours reading through books, magazines, encyclopedias and other reference materials to find something that takes seconds today.

Using LinkedIn, for example, a list of a company’s employees and their positions can be quickly retrieved for any company. If one of their corporate email addresses is available in a LinkedIn public profile, if any employee email addresses are available on a corporate website, or if any employee email address is posted anywhere on the internet in a blog post or presentation or article, it may be an easy exercise to determine how email address are created for that organization. Using this little bit of information, a plain text request for information can be sent to the person with the right title purporting to be from a senior executive.

Creating a simple, common sense process to verify non-routine requests for information can prevent some of the recent data breaches we all have been experiencing.

This article is published as part of the IDG Contributor Network. Want to Join?

NEW! Download the State of the CIO 2017 report