A new “spear-phishing” scheme is active that targets employees, including Chief Executive Officers (CEOs) and Chief Financial Officers (CFOs), in an attempt to obtain employee personal information and other data.
In a recent case involving a medium-sized company with offices in several states, hackers used a system that mimics employer email addresses to obtain employee W-2s, birth dates, and other information. Specifically, two email requests for 2015 W-2s and employee names and birth dates, which appeared to be from the CEO, were received by a company’s Human Resources department. HR complied with the fake email request and personal information of the entire 2015 workforce was inadvertently disclosed. The company had experienced a prior attempt when HR received a strange email from the CEO’s email address, which HR disregarded as a mistake. The successful attempt followed about a week later. Several employees in the affected company discovered misuse of their information following the breach, including falsely filed tax returns.
W-2s contain sensitive personal information such as Social Security numbers and full names and addresses, which can be sold or used for identity theft and financial fraud. The W-2’s in particular give an identity thief almost everything needed to commit tax fraud.
The ease with which the hackers obtained the information is a reminder to all businesses to review their internal data privacy practices and implement reasonable safeguards. Companies can reduce the risk of this latest scam by encrypting all personal information before it is transmitted electronically and by training employees, particularly Human Resources and other employees with access to personal information, that any email request for personal information be followed up in person or by phone to confirm the request was legitimate before sending any personal information.
In the event of a breach, companies should seek legal counsel immediately to develop a breach response plan. State law governs the contents and timing of breach disclosure notices to affected individuals, and notification to state authorities may also be required.
For more information, please contact us.