Businesses are increasingly targeted by phishing attacks that seek to collect employee W-2 records, according to a report Monday from CSO.
More than sixty organizations say they have been victims of such incidents since the beginning of 2016.
- The FBI estimates phishing crimes have cost organizations more than $2.3 billion in losses over the past three years.
Emails seeking W-2 data are increasingly popular because they are so effective. Hackers either phish an executive and gain access to that individual’s inbox, or email employees from a domain name very similar to the target company’s real domain. A lower-level staffer is then asked to share W-2 records or related payroll information. Because they look like real emails and are sent only to specific individuals, such scams usually don’t set off company spam traps.
On March 1, Seagate Technology gave up the 2015 W-2 forms of all its current and former U.S.-based employees in a phishing scam. The week before, Snapchat revealed it was also the victim of a phishing scam when an employee released company payroll information to an attacker pretending to be CEO Evan Spiegel.
IRS Commissioner John Koskinen issued a statement earlier this year warning about the rise in such attacks.
"If your CEO appears to be emailing you for a list of company employees, check it out before you respond,” said Koskinen. “Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”
In early April, the FBI posted an alert warning about phishing attacks that skillfully mimic an email from an employee’s manager or executive requesting a funds transfer or similar activity. The alert said the FBI has seen a 270% increase in such scams since January 2015.