• United States



Senior Staff Writer

Organizations still reporting stolen W-2 information

Apr 18, 20162 mins
CybercrimeSecuritySocial Engineering

Email-based scams targeting W-2 data remains a top threat for CFOs and HR

Since the end of 2015, criminals have gone on a rampage targeting W-2 information at organizations both large and small. So far this year, more than sixty organizations have come forward as victims of business email compromise (BEC) scams, including three just last week.

Despite today’s tax deadline with the IRS, these attacks show little sign of slowing down.

“Business email compromise attacks are hitting all industries, at a scale never seen before—and we don’t anticipate it will slow down anytime soon. It’s especially critical that finance, payroll, and human resources departments be alert for these scams,” said Proofpoint’s SVP of strategy Ryan Kalember.

Last week Bristol Farms Inc. told employees that someone impersonated a company executive and requested 2015 W-2 information. An employee, believing the request to be legitimated, complied. The incident occurred on March 30.

In a letter dated April 13, the Academy of Art University reported an incident from April 4 that targeted W-2 details. Sticking to the established pattern, someone posed as a university executive and requested the tax information via email. The employee who received the request believed it to be legitimate and attached the requested information to an emailed response.

Morongo Casino, a Native American Casino & Resort located near Palm Springs, told employees last week that someone posed as an executive and emailed a request for 2015 W-2 records. Once again, the employee who received the request believed it was valid and complied. The incident happened on March 23.

The casino is also dealing with a PII problem, as 19 guests received account details on less than one-percent of the casino’s rewards club members.

In a somewhat related story, one unidentified American company was bilked out of $100 million, after someone posed as a legitimate vendor via email. The details were disclosed by the US government in a civil forfeiture lawsuit filed last week in Manhattan.

$74 million of the stolen funds have been recovered. The lawsuit is an attempt to recover the remaining money, which is being held in different banks across the globe.

Head over to this story to see additional BEC-related coverage form Salted Hash.