What has become a common feature of the post-Holiday season is the W2 phishing scam. This is a sophisticated social engineering attack to dupe clients’ payroll and HR departments into providing W-2 data on employees, to enable the crooks can file fraudulent tax returns. For several years, these criminals have been the cause of identity theft and in the case of Seagate, a class class-action lawsuit.
These attacks are upsetting to clients’ staff, costly and are avoidable with a certain level of risk management training.
The typical W-2 phishing email is spoofed to look like it is from a senior executive and asks the employee to provide W-2 or other tax-related information either by replying to the phishing email, by sending the information to another email address, or to upload it to a server owned by the bad guys. In many instances, the request for the information appears to be urgent, which forces the employee to act quickly. These spoofed messages can be very convincing. The emails have the email address and often contain the actual signature block of the executive that makes the employee believe that the email is authentic.
Warn clients (and your staff) to stop before clicking on a link and follow proper procedure, even though the email might look like it’s from the boss. A company we use, KnowBe4 has ready-to-send phishing templates including the spoofed executive email address that you can use to inoculate high-risk employees against this type of CEO fraud.
Here is a screenshot of a W-2 fraud template you can use:
Here is a post at the KnowBe4 blog that describes a sophisticated CEO Fraud attack and has a ready-to-email message that you can copy.
This type of attack can be highlight disuprtive to your firm and clents. Let everyone know of the possibility of an attack and take appropriate risk management precautions.
Jorgensen & Company are not attorneys and do not offer any form of legal advice. Consult with appropriately qualified local counsel for more assistance. Rickard Jorgensen is President and Chief Underwriting Officer for the CPAGold™ program and may be contacted at (201) 345 2440 or firstname.lastname@example.org
- SOCIAL ENGINEERING/WIRE TRANSFER FRAUD – A NEW TWIST ON AN OLD SCAM.
- A new variation on Comfort letters – Third Party Verification Letter requests from Investment Professionals
- Cybercrime Uses Social Engineering Techniques to Steal Employee Credentials and Commit Payroll Diversion
- Using the engagement letter to reduce cyber liability exposure
- Early Notice to insurers and claims mitigation has many benefits