Page 40 - Deleware Medical Journal - September/October 2019
P. 40
BEWARE OF PHISHING SCAMS
Targeting Employees’ Tax Info
It seems hard to believe, but 2019 is ����������� ��� ���� ������ ��� ���� tax time will be upon us. Organizations
of all sizes and their employees are warned to be on high alert for an increasingly prevalent email phishing scheme involving W-2 information. While the scheme
itself is simple and quick, the impact
on employees’ lives from the resulting theft of their personal information can be devastating, and last for years.
WHAT IS W-2 PHISHING?
Many reading this article are probably familiar with data breaches that include health records, banking information and even personal email addresses. In fact,
a majority of you have probably been impacted by a data breach, personally. However, most people are unaware of W-2 phishing. W-2 phishing is a low-tech email scheme. It works like this:
� Cybercriminals, posing as a company executive, will send an email directly to a payroll or human resources professional requesting W-2 information. The so-called �������� ������ ����� �������� ��� ������ name of the company’s chief executive ������� ��� ����� ��� ����� ��� ���������� “Kindly send me the individual 2018 W-2 and earnings summary of all company staff for a quick review.”
� The payroll or HR employee, believing the email to be a legitimate request, mistakenly emails the W-2 information to the cybercriminals. W-2 data includes a trove of sensitive information, including
employees’ Social Security numbers, addresses, salary information, and other ���������� ����������� ������������
� The cybercriminals operate on the assumption that, in the interest of being responsive to the executive and expedient �� ������ ��� �������� ��� ��������� �� ��� ������� ����� ������ ����� ���� ��� ���� to verify the authenticity of the request.
We have clients who were victims of such attacks. The cybercriminal may have accessed management’s email address
by looking at the client’s website. Many businesses have email contact information readily available on their websites or place the names of their executives on their site. Cybercriminals use spoofed addresses to send emails that could plausibly look like they’re coming from co-workers.
In a March 2019 article, Delaware Business Now listed some IRS-provided examples
of email phishing requests that you or ������� �� ���� ����� ��� ��������
“Kindly send me the individual [2019] W-2 and earnings summary of our staff for a quick review.”
“Can you provide me with the current list of employees with full details?”
“Please forward, in PDF format, the W-2 list and the employee wage & tax statement for [2017].”
“We are replacing our health insurance program. I need a complete list of our employees that includes their Social Security number, date of birth, home address, and salary. My meeting is in the next hour, can you forward ASAP?”
232
Del Med J | September/October 2019 | Vol. 91 | No. 5
