[BreachExchange] Thousands of taxpayers affected by W-2 Phishing attacks this year

[Audrey McNeil]

http://www.csoonline.com/article/3064214/security/thousands-of-taxpayers-affected-by-w-2-phishing-attacks-this-year.html

Thousands of taxpayers have been impacted by a wave of Phishing attacks
targeting W-2 records, with more than sixty organizations reporting such
incidents in the first half of the year.

By taking advantage of the trust relationships that exist within a given
company; these attacks have resulted in at least $2.3 billion in losses
over the last three years.

Business Email Compromise / Correspondence attacks (BEC attacks) aren't
overly clever, but they're effective. A person with authority is
impersonated, and a lower-level staffer is asked to share W-2 records or
related payroll information. That's all there is to it.

How to respond to ransomware threats

Because the request looks and feels legitimate, the employee usually
complies, but there have been a few cases where the scam was flagged before
any damage could be done.

Last month, Jonathan Sander, vice president at Lieberman Software, remarked
to Salted Hash that the common theme in each successful attack is also the
reason why the success rate should be zero.

"The employee shouldn’t have been able to access that much data without
some sort of oversight kicking in. The fact that a single employee, for any
reason, could grab so much data and simply send it to anyone, regardless of
who they think that person is, is a scary prospect when you stop to think
about it. Of course, you can also ask why an employee would be fooled into
thinking that an executive would be making such a sweeping request," Sander
said.

In the first quarter of 2016, at least 41 organizations were victimized by
BEC attacks, but that number is closer to 70 when additional disclosures
are counted. Some organizations were successfully hit earlier in the year,
but only just recently discovered the problem, delaying notification.

On April 25, GoldKey | PHR, a hotel management company that controls a
large part of the rooms on Virginia Beach, disclosed that W-2 information
was compromised on February 29, but this fact wasn't discovered until April
3. The cause of the breach was listed as a "criminal Phishing email" and
impacted at least 3,000 people.

Also on April 25, NetBrain Technologies Inc., a network visualization firm
based in Burlington, Massachusetts, said someone posed as a company
executive and requested 2015 W-2 data on March 3. The documents were
delivered as asked, impacting all employees.

On April 12, the Girl Scouts of Gulfcoast Florida disclosed that on March
17,someone impersonated the author of the notice itself, Betsy Laughlin,
the Director of Finance, and requested 2015 W-2 records. Because the
request was spoofed to appear as if she sent it, the employee who received
it didn't hesitate.

On April 26, Michels Corporation, a contractor based in Brownsville,
Wisconsin, disclosed that a company executive was impersonated by a
scammer, requesting 2015 W-2 records. The incident occurred on April 16,
and impacted more than 5,000 current and former employees.

With a low barrier of entry to launch such a campaign, and an even lower
overhead, criminals show no signs of slowing when it comes to targeting W-2
information. Even if the stolen data isn't used immediately, it can be
compiled and sold for a number of different uses.

"If your CEO appears to be emailing you for a list of company employees,
check it out before you respond. Everyone has a responsibility to remain
diligent about confirming the identity of people requesting personal
information about employees," IRS Commissioner John Koskinen said in a
statement issued earlier this year with a memo warning about the rise in
BEC attacks.

Many of the firms that have disclosed these incidents report that employees
have detected tax fraud, which seems to be the ultimate goal in these
attacks. Since 2015, the FBI says there has been a 270-percent increase in
the number of identified victims and exposed losses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160502/f76a0ca4/attachment.html>