It's happened again. Scammers have leveraged Phishing to gain access to W2 information at several firms, including technology powerhouse Seagate.
No company is immune to these types of social attacks, and organizations both large and small have become victims to a finance-based scheme that has a long reach.
Last week, Sunday in fact, Snapchat disclosed that someone had posed as the company's CEO and requested employee payroll data. The email wasn't viewed as a scam, but instead as a legitimate request, and thus 700 employees had their information exposed.
The week prior, on February 23, someone targeted Central Concrete Supply Co., posing as an employee, they requested W2 information and received it. The Friday before that, on February 19, the same scam was used against Mercy Housing Inc. Once again, it worked, and the company was tricked into exposing W2 information for all active employees.
On February 3, 2016, Magnolia Health Corporation reported that all active employees were exposed after an Excel spreadsheet containing sensitive employee data was sent to a person posing as the company's CEO.
On the same day, BrightView, a landscaping firm in California, was also successfully targeted. On February 5, Polycom, the communications company that is known for their video and telephone conferencing offerings, became another victim.
In each of these cases, the data compromised included everything needed to fill out a W2.
Now, a seventh victim can be added to the list – Seagate. Towards the end of February, Seagate was targeted by the same scam that worked against the other six firms.
The attack was a success, and Seagate handed over W2 data for 2015 on all current and former employees located in the U.S. The company learned of the incident on March 1.
The news was broken by journalist Brian Krebs after a former employee received a notice and reached out to him.
Seagate confirmed the incident with Salted Hash via an emailed statement. The company says they're working with law enforcement to investigate the incident, adding that they're "aggressively analyzing where process changes are needed" and will implement them as soon as possible.
The ultimate goal in each of the seven incidents appears to be tax fraud. The criminals who obtained the W2 information could use it to file fraudulent returns. In many of the notifications, the victimized employees are encouraged to file their returns as soon as possible and obtain their free (but ultimately useless) credit monitoring account.
There's also the chance that the data can be used for other types of fraud, or worse, amended tax returns (1040X).
Business Email Compromise / Correspondence attacks (BEC attacks) are an offshoot of Spear Phishing attacks that are personal in nature. To keep it simple, think of them as Phishing attacks, but they're more focused and usually have a single goal.
They play on the trust relationships that exist within the company. When it comes to targeting trust, awareness campaigns within the organization can help, but they're not a silver bullet. It's hard to build an awareness program that starts by creating an element of mistrust among the staff and senior leadership.
In the real world, a company's staff know and trust one another. They throw birthday parties and purchase cookies during a school fundraiser. They have a softball team. They host cookouts. In some ways they're a small family.
Sometimes, that isn't the case, but think about it – how often do you question or second-guess an email from a co-worker asking for something? It isn't just about W2 data, BEC scams can target anything that's of value to the company.
Again, awareness programs built on killing trust won't work. When the CEO emails a request, there's usually a good reason for it, so the staff just complies.
What is effective is empowerment.
When a request for sensitive company data comes via email, the employee receiving the request should feel empowered to challenge it and confirm that the request is legitimate. No matter who makes the request. No matter what their status is within the company.
Further, it should be standard policy that a request for such data should be verified by at least two parties, and only if they agree should the data be released. Even better, two parties and someone within IT / InfoSec at the company.
In many of the reported BEC cases, the scam would have failed if there were additional verification policies in place. It isn't perfect solution, but it's a human answer to a human problem, because technology won't save a company looking to fight these types of attacks.
The video below talks about email scams and threats, Salted Hash filmed the segment last week during the RSA conference in San Francisco.