Stories of high-technology cyber-attacks on American banks, retailers, government and business are everywhere. But a remarkably simple and low-tech scheme is proving to be highly effective against numerous businesses as we approach April 15th with federal tax returns on our minds.
It’s a variation on the business email compromise wire transfer fraud schemes that plagued U.S. businesses in 2015. As the FBI reported last August, those schemes led to almost $800 million in fraud losses.
Desperately Seeking W-2 Data
The latest phish is directed at company human resources and payroll departments, and goes after W-2 data thieves can use to e-file fraudulent U.S. tax returns. We’ve seen it more than once. In hindsight, you’ll wonder how it works at all. But every effective con game suspends your disbelief until it’s too late. We’ll explain why we think the W-2 phish is working for the bad guys.
When at work, we think we’re vigilant, but we make mistakes. That human weakness persists even when companies are using technology to ward off electronic breaches. Criminals understand the vulnerability. It stems in part from our desire to work efficiently, contribute to a team effort, and be responsive when the boss (or the boss’s boss) asks us to do or get something.
This evolving threat not only leverages that vulnerability, but also seems to take into account that typical "cyber awareness" guidance about business email risks has been focused on malware-laced attachments and hyperlinks. The latest scam has neither. Instead of getting into an employee’s computer, it gets into their head.
"Are you at your desk?"
The subject line is simple. It’s also disarming, especially when it comes from the C-Suite. It’s intended to put the recipient on the defensive, and it implies a call to action. After all, anything but a quick response means "no, I wasn’t at my desk." And that’s why it’s the powerful opening line for sophisticated criminals that mine business-oriented websites, publications and social media, looking for working relationships that can be counterfeited, then exploited.
"Please prepare a .pdf of the 2015 W-2s and send ASAP."
No one would fall for this, right?
Most recently, security investigator Brian Krebs reported Seagate Technology (which generates nearly $12 billion in annual revenue) notified its employees that in early March it fell victim to the scheme and gave away information on thousands of current and former employees, when an employee sent the requested information to an imposter.
If it can happen to a publicly-traded icon of the technology industry, it might happen to your business. We’ve already seen it in Kentucky. And if it happens to you, you’ll need an immediate response. After all, this type of data breach triggers a plethora of notification requirements under a kaleidoscope of state and sometimes federal regulations. Beyond that, you’ll need a plan for contacting law enforcement and dealing with other legal concerns that follow a breach.
Check Your Protection Plan
Whatever your business, if you handle personally identifiable information, payroll, credit cards or any other form of electronic payments, especially for consumers or employees, it is critical to review your cybersecurity and privacy policies, in light of your actual business practices. For many businesses, there may be regulatory obligations that attach to your data privacy and network security practices.
It’s equally important that you understand your insurance, because losses arising from social engineering have sometimes triggered coverage disputes under general liability policies.