By now, most security experts are aware of “boss phishing,” which occurs when a cybercriminal sends an email that appears to come from a supervisor, administrator, or even the CEO of a company, directing the recipient to do something bizarre.
It could be to change the passwords on key accounts, transfer funds to this new account number, or other similar circumstance. But a new version of the CEO phishing scam has cropped up just in time for tax return season.
According to research from Krebs on Security, there have been reports of CEO phishing that direct HR or payroll employees to send all of the W2 forms for the entire company directly to the CEO. Unfortunately, as this is a scam, complying with what appears to be a direct order from above means turning over everyone’s information to a thief, who will then use it to file fraudulent tax returns and steal their refunds.
Imagine… with one simple email, a thief can get his hands on thousands of employees’ crucial tax records and personal identifying information. Best of all, a trusted company employee who’s just trying to do his job ends up doing the dirty work for the thief.
Krebs on Security reported that one company has already received this kind of email. By sheer luck, the person who received it didn’t have access to the documents, so he forwarded the email to someone within the company who did. This individual smelled a scam, largely due to having recently completed a company-related fraud prevention training.
Unfortunately, social media site Snapchat was a lot less lucky. An identity thief sent out an email that appeared to come from the CEO. A payroll employee complied with the request for everyone’s payroll records, leading to a breach that compromised all of the employees’ data.
Sadly, there’s really not a lot you can do as a citizen if someone targets your human resources department or payroll division with this kind of scam. It’s up to those individuals to keep up with the latest scams, and to remember to never comply with an order that seems so unlikely or out of the ordinary. You can, however, help spread the word in your own workplace about this type of scam, or about other popular hacking attempts like emails that install malware on your company network.
Encourage your workplace to offer trainings like the one that prevented W2 forms from falling into the wrong hands, and work to raise awareness about malicious emails that masquerade as ones from a legitimate source. If your company doesn’t currently have a policy on information or file sharing, encourage your supervisors to adopt one immediately.
Anyone can be a victim of identity theft, anyone can use our services and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public