Tax identity theft is big business for fraudsters and they’re willing to take extraordinary measures to perpetuate their lucrative scam of filing fraudulent tax returns using others’ personal information.
One new, rather crafty, measure is to target businesses in search of employee data. The scam works like this — the cybercriminal will “spoof” the email address of an organization’s CEO and send an urgent request to the human resources or accounting departments for the W-2 forms of every employee.
Spoofing is when a scammer sends an email using a special computer code to make the “From:” field appear to be from another individual’s email address. Because these emails use the CEO’s exact email address, this CEO phishing email is very hard to detect.
Brian Krebs, cybersecurity expert and investigative journalist, shared a screenshot of one of these spoofed emails. Luckily, the recipient in this case was hesitant of the request and walked over to the CEO to confirm his odd demand — foiling the scammer’s plot.
The CEO phishing email has been relentlessly targeting businesses, both large and small. And already, major organizations have handed over their employees’ W-2s; which include names, addresses, birth dates, Social Security numbers, income information and more — leaving employees vulnerable to identity theft and fraud.
Last year, the IRS paid $5.8 billion to tax identity thieves; that number is expected to grow in 2016. With help from sophisticated scams like this, the hefty price tag for taxpayers will undoubtedly skyrocket.
What should you do?
While highly effective, the CEO phishing email can be thwarted by taking a few moments to question what’s in your inbox. It’s vital you, as well as your coworkers, to take the following steps to reduce your organization’s risk.
Meet face-to-face for odd/urgent requests
It never hurts to verify sensitive requests in-person, especially if your boss or coworker is emailing you about sensitive customer, employee or business data.
Notice tone and voice
A key tip-off to this email is the lack of personal touch. If you receive a message that seems out of the ordinary or overly formal, never hesitate to question the request — in person. Keeping quiet can be one of the most costly mistakes an employee can make.
Inform HR, IT and Accounting
It is imperative to share this scam with your place of work, especially the human resources and accounting departments. Having this scam on their radar will help protect yourself and your coworkers from identity theft and fraud. Give these high-risk areas an additional helping hand by working with your IT team to implement cyber safeguards.
Encourage safe sharing at work
Heighten your team’s awareness of phishing scams and other cyber threats through regular training sessions and corporate policies. Make sure you have enough technical support to thwart any cyber risks targeting your business, including installing and maintaining anti-virus and anti-phishing software.
Did you already fall for the CEO phishing email?
If you have already exposed employee data as a result of this phishing scam, it’s crucial you take immediate action to remedy the situation. Technically, your organization has experienced a data breach. Post-breach measures typically include notifying impacted individuals and offering protection services.
For more information on state-specific data breach requirements, please visit the National Conference of State Legislator’s website.
Have you ever received a phishing email at work? Share your story in the comments below.
The views and opinions expressed in this article are those of EZShield Inc. alone and do not necessarily reflect the opinions of any other person or entity, including specifically any person or entity affiliated with the distribution or display of this content.