Stories of high-technology cyber-attacks on American banks,
retailers, government and business are everywhere. But a remarkably
simple and low-tech scheme is proving to be highly effective
against numerous businesses as we approach April 15th
with federal tax returns on our minds.
It's a variation on the business email compromise wire transfer
fraud schemes that plagued U.S. businesses in 2015. As the FBI reported last August, those schemes led to
almost $800 million in fraud losses.
Desperately Seeking W-2 Data
The latest phish is directed at company human resources and payroll
departments, and goes after W-2 data thieves can use to e-file
fraudulent U.S. tax returns. We've seen it more than once. In
hindsight, you'll wonder how it works at all. But every
effective con game suspends your disbelief until it's too late.
We'll explain why we think the W-2 phish is working for the bad
guys.
When at work, we think we're vigilant, but we make mistakes.
That human weakness persists even when companies are using
technology to ward off electronic breaches. Criminals understand
the vulnerability. It stems in part from our desire to work
efficiently, contribute to a team effort, and be responsive when
the boss (or the boss's boss) asks us to do or get
something.
This evolving threat not only leverages that vulnerability, but
also seems to take into account that typical "cyber
awareness" guidance about business email risks has been
focused on malware-laced attachments and hyperlinks. The latest scam has neither.
Instead of getting into an employee's computer, it gets into
their head.
"Are you at your desk?"
The subject line is simple. It's also disarming, especially
when it comes from the C-Suite. It's intended to put the
recipient on the defensive, and it implies a call to action. After
all, anything but a quick response means "no, I wasn't at
my desk." And that's why it's the powerful opening
line for sophisticated criminals that mine business-oriented
websites, publications and social media, looking for working
relationships that can be counterfeited, then exploited.
"Please prepare a .pdf of the 2015 W-2s and send
ASAP."
No one would fall for this, right?
Wrong.
Most recently, security investigator Brian Krebs reported Seagate Technology (which generates
nearly $12 billion in annual revenue) notified its employees that
in early March it fell victim to the scheme and gave away
information on thousands of current and former employees, when an
employee sent the requested information to an imposter.
If it can happen to a publicly-traded icon of the technology
industry, it might happen to your business. We've already seen
it in Kentucky. And if it happens to you, you'll need an
immediate response. After all, this type of data breach triggers a
plethora of notification requirements under a kaleidoscope of state
and sometimes federal regulations. Beyond that, you'll need a
plan for contacting law enforcement and dealing with other legal
concerns that follow a breach.
Check Your Protection Plan
Whatever your business, if you handle personally identifiable
information, payroll, credit cards or any other form of electronic
payments, especially for consumers or employees, it is critical to
review your cybersecurity and privacy policies, in light
of your actual business practices. For many businesses, there may
be regulatory obligations that attach to your
data privacy and network security practices.
It's equally important that you understand your insurance,
because losses arising from social engineering have sometimes
triggered coverage disputes under general liability policies.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.