May 18, 2016

W-2 Phishing Attacks Leave All Companies Exposed

Missing-Security-Camera

Something is missing in our security plan here. Photo: Bill Smith/Flickr

If you have been following online security threats, you may think of phishing as a practice aimed at gaining the credentials to online financial accounts or other places where individuals’ money can be stolen. It’s true that in its early days phishing was heavily focused on financial services such as banking, online payments, credit cards, and online trading accounts. Other enterprises, even large ones, may have gotten into the habit of thinking, “This type of threat doesn’t apply to me.”

Well, any company that still is thinking that way needs to think again, because today criminals are aggressively using spear phishing attacks posing as internal communications to trick employees into giving away critical information. One version of the attack that has been very effective of late is the W-2 attack, which uses fake emails impersonating an internal executive(generally the CEO or CFO) to trick employees into giving up either their own or their colleagues’ W-2 information.

One thing that’s different about the W-2 attack is that companies in all industries are valid targets. Witness three recent high profile breaches:

  • Sprouts Farmers Market
  • Seagate
  • The Milwaukee Bucks

In each case W-2s were given away, and in each case the cause was an employee responding to what appeared to be an internal email requesting the information.

In the case of Sprouts, Top Class Actions reports:

Sprouts said that an employee in the payroll department received an email that was believed to be from a senior executive of the company. The email allegedly asked the payroll employee for the 2015 W-2 statements from all of the company’s employees. The payroll employee compiled the requested information and reportedly sent it off in an email to the requestor before the company realized that the email was actually a phishing scam.

Top Class Actions also reveals that Seagate suffered the exact same problem.

Seagate claims the data was released due to a “phishing” scam which involved fake emails to Seagate employees involved with human resources and payroll.

And now we see the Milwaukee Bucks singing this very same tune, reports CSO magazine.

Players and staff with the Milwaukee Bucks had their 2015 W-2 records compromised, after a staffer with the NBA franchise released the records to an email address spoofed to appear as if it came from team president Peter Feigin.

These aren’t the traditional targets for phishers. These aren’t financial institutions or payment accounts.

What do a retail grocer, a computer hardware manufacturer, and a professional sports franchise have in common? They have employees and use email — in other words, it can happen to any company. They have access to employees’ personally identifiable information, and they have individuals on staff that can be tricked through social engineering into giving this PII away.

And before we start firing employees or hoping that training them will make a big difference, make sure your company has implemented email authentication (DMARC) — the only proven way to stop these attacks.

These are the targets in this new world of impersonation attacks. Any company with employees and email is potentially a target. And until they take the measures to protect their employees from this sort of attack, we will continue to see headlines like these from businesses of all sorts.

Subscribe to our newsletter