I t’s another great example of how you have to stay on top of the latest security threats that are circulating around the internet. An interesting targeted phishing scam that is especially bad during tax season (April in the United States) has shown up where hackers impersonate CEO’s and ask a company’s financial department for the W2 forms for employees.
As reported on Krebsonsecurity.com, the security firm KnowBe4 received a fraudulent email from someone impersonating the CEO. They had apparently hijacked a GoDaddy email server and made the email look like it was coming from “firstname.lastname@example.org” however the return address was not associated with the company itself. Fortunately there was a new CFO on board and they smelled something “phishy”. A quick check with the CEO himself revealed that he had never requested the documents.
W2 forms are big targets for tax fraud criminals because it has all the data that would be required for someone to make a phony tax return and then claim a large refund such as name, address, and social security number – all without the knowledge of the actual person whose identity is being stolen. That is, until the real person tried to claim their refund and get denied.
Fraudsters actually stole the W2 data of over 330,000 people using a loophole at the IRS.gov website last year. The ability to register online was “hijacked” and fraudsters registered using people’s names before the actual people themselves could sign up. Using the information collected the fraudsters were able to claim fraudulent tax refunds.
The moral of the story here is to just stay vigilant and up to date on the latest phishing schemes. You could be the smartest person out there but anyone can get tricked or fooled, especially when con-artists impersonate people that you actually know.
Bookmarking blogs such as Krebs On Security and ARS Technica is a great way to stay on top of security trends. Companies should brief employees on these trends as well. It’s never a bad idea to send out emails with security tips on a monthly basis to your employees so that they stay sharp and alert. Even I almost fell for the IRS phone scam when it happened to me, although I was able to search Google to see if anyone else had had the same thing happen to them.
And that’s another thing – if something seems out of the ordinary a quick Google search to see if anyone else is reporting the scam is a great tool.