During the past few weeks, many companies have been targeted by an email phishing scheme that has resulted in the disclosure of employees’ confidential personal information. In this latest scheme, cybercriminals pose as company executives in an email targeted at members of the company’s human resources (HR), accounting or payroll departments. In the email, the alleged executive requests employees’ personal information, particularly W-2 or payroll information. The fraud perpetrator then uses that personal information to file fraudulent tax returns, and receive improper tax refunds, in the name of the employee.
To prevent falling victim to this scheme, you should quickly alert your employees and staff members, especially those in HR, accounting and payroll, to closely scrutinize any request for personal information. At a minimum, we recommend that you inform employees and staff members to do the following if a suspicious email is received:
- call the sender of the email requesting the information and verify that he or she indeed made the request (e.g., if the email appears to come from “Jane Doe, CEO,” call Jane Doe to verify before sending any requested information); and
- rather than replying to the original email, only send the requested information by composing a new email message to a known email address for the sender (e.g., compose an email to Jane Doe, using her known email address from the company directory).
Disclosing sensitive and valuable information can cause significant costs and expenses triggered by federal and state data privacy and security laws, including the costs of complying with data breach notification requirements. To read more about this latest scheme, read the alert issued by the IRS or the client alert distributed yesterday by Bass, Berry & Sims.
UPDATE: A prominent and highly-respected law firm announced on Wednesday, April 6, 2016 it too had fallen victim to the “W-2 Phishing Scam” sweeping the country. The announcement re-emphasizes the point that no person or company is immune from a data breach. Even the most formidable and sophisticated firewalls and software cannot prevent a resourceful “black hat.” The first line of cyberliability defense is a knowledgeable and wary workforce. Dedicated cybersecurity education, targeted training and individual vigilance are a hacker’s worst enemy.
Check out our series, Privacy Perils, to learn what steps you can take to guard your personal and company data. For more information about this topic and other cyber security concerns, please contact a member of our Privacy & Data Security team.