Beware of New W-2 Phishing Scam

Kevin PeltonKevin Pelton, CISSP 
IT Shareholder

There is a new form of CEO fraud in which HR and accounting departments are being scammed into sharing W-2 information. This one in particular hits close to home and is one we caution everyone to be aware of.

CEO fraud attacks are so successful because they are personal, requiring the target to interact with the attacker rather than with automated or computer generated emails. CEO fraud targets smaller, more nimble organizations, where exceptions to standard accounting processes are more likely to be made based on personal requests from members of the executive team. In the case of this latest W-2 scam, someone in the HR or accounting department gets an urgent email form the CEO asking for all employee W-2 information.

Phishing scams utilize phony emails sent out by attackers in order to gather personal information from unsuspecting victims or spread malicious software like ransomware. Attacks can target individuals, referred to as spear phishing, or entire organizations. Phishing remains the easiest and most productive cyberattack method used by criminals—proving that humans continue to be the weakest point in a security program.

Organizations and users can take several steps to avoid Phishing scams. Particularly in this case, warn your Accounting and HR staff to be wary of emails asking for W-2 information and always verify requests via another method of communication.  Every email should be scrutinized.  Ask questions such as “does this email come from a recognized sender?  Does the email look legitimate (any misspelled words or incorrect language usage)? Was the email expected?”  Hover over any links in the email before clicking on them to make sure they are consistent with the sender and never navigate to links provided in emails.  Instead, type the URL into the web browser to reach a destination.  Make sure operating systems and web browsers are kept up to date and install good antivirus, web and spam filters. Only enter sensitive data on secure websites and periodically check bank accounts and other online accounts for irregularities.

For further reading on these latest attacks, click here to visit an article by KnowBe4 and here for an article by Help Net Security. If you receive any suspicious files or have questions about best practices for IT security, we would be happy to discuss with you.