January 8, 2018 – It’s that time of year again. HR administrators and payroll teams are coming out of their holiday haze. And now it’s time to focus on everyone’s second favorite time of year…tax time. Jokes aside, this time of year provides a fresh opportunity for cyber criminals to target small and midsized businesses. Cyber criminals will use sophisticated W2 phishing scams to trick payroll departments, accountants, and HR teams into providing W2 data on company employees. This type of business email compromise is big money, and small-to-midsized businesses are a prime target.
How W2 Phishing Scams Work
With phishing schemes, the cyber criminal sends an email from a fraudulent account. But the email appears at first glance to come from a high-level executive. These phishing schemes work by employing a sense of authority and urgency in the communication. The email will ask the employee to provide tax-related information from the W2 so that they can be properly issued. There is typically a false sense of urgency created as well, causing a quick reaction by the recipient before they have a chance to think things through.
These emails are incredibly convincing, and may include the actual email signature block of an executive. Within the email there will be a link to upload volumes of employee data to a fraudulent location, or simply a request to reply to the email with the information. Unfortunately, because the email came from a spoofed mailbox it will be sent to the cyber criminal. The executive is none the wiser that their identity was used fraudulently.
How to Protect Yourself
So what’s the best way to protect your organization from these sophisticated criminals? Turns out, it’s education. While web defense and email defense solutions can help prevent viruses, ransomware and malware from penetrating your network, the best defense against phishing is people. Employee Security Awareness Training enables your team to identify a potential scheme and investigate before taking action. Often it’s a simple phone call to the individual who sent the note. If the employee is uncomfortable reaching out to the business owner or an executive they can be instructed to notify the security team and/or their manager. It’s important to put the procedures in place and educate your team on the steps to take so phishing schemes can be detected, investigated, and shut down.
Employee security training can come in many forms including in person training at your facility or flexible online training. Whatever suits your business, make this a priority so you can avoid becoming the next victim.
What Actions Can I take Right Now?
If you’re looking for steps to take right now to protect yourself, you can start by communicating directly with your team members who have access to confidential information. Inform them of the process you will be using to collect and disperse W2 information, and be sure everyone understands that process. Remind them not to send confidential information without first verbally confirming with the requestor. Employees also need to notify management if a request is made outside of the published process.
– The AccountabilIT Team