HR Departments: Gone Phishing?
March 7, 2016 • RBS
On Tuesday March 1st, the IRS issued an alert to payroll and human resources professionals across the nation, warning of a fresh phishing scam angling for employee data. Like so many other targeted phishing campaigns that have come before it, the latest scheme starts with gathering basic staff information about the company such as the name of the CEO or CFO and who’s who in the HR department – exactly the type of information that is so easily obtained from networking sites such as LinkedIn or a quick read of the friendly “Meet Our Staff” page made a part of so many websites these days.
Armed with this information and taking advantage of the fact it’s tax season, the scammers then send spoofed emails supposedly from the C-suite executive to HR requesting W-2 data. The statement from the IRS indicates the bait has already hooked “several victims”. From recent disclosures, that list appears to include at least twelve companies since early February.
|Who||How Many Impacted||Date Occurred||Date Reported|
|Actifio||Not Disclosed||February 3, 2016||March 2, 2016|
|The Brickman Group||Not Disclosed||February 3, 2016||February 10, 2016|
|Magnolia Health Corporation||563||February 3, 2016||February 12, 2016|
|Polycom, Inc.||Not Disclosed||February 5, 2016||February 12, 2016|
|Main Line Health||11,000||February 16, 2016||March 2, 2016|
|Mercy Housing||Not Disclosed||February 19, 2016||February 22, 2016|
|Pharm-Olam||Not Disclosed||February 23, 2016||February 25, 2016|
|Central Concrete Supply||Not Disclosed||February 23, 2016||March 1, 2016|
|AmeriPride Services||Not Disclosed||February 25, 2016||February 26, 2016|
|Evening Post Industries||Not Disclosed (all employees appear to be impacted)||February 26, 2016||February 27, 2016|
|SnapChat||700||February 26, 2016||February 28, 2016|
|Billy Casper Golf||Not Disclosed||February 26, 2016||March 2, 2016|
The companies that fell for the scam are sizable organizations with hundreds, if not thousands, of employees. As companies grow and become more complex it’s possible (and perhaps even likely) that HR staffers and the persons looking for payroll data have little day-to-day interaction. If it’s not possible or practical to simply walk around the corner to ask for the information, then additional controls should be considered. Any request seeking large amounts of sensitive data should be subject to a verification process. That process can vary from a simple phone call confirming the request to more formal checks and balances.
Either way, hitting reply with sensitive data attached should never be the first step in responding to such requests. Phishing is nothing new and this most recent wave of targeted attacks is a perfect example of how old fashioned trickery is still one of the most effective means of acquiring data. All it took to scoop up thousands of records perfectly suited for filing false tax returns was a timely request for payroll information apparently from a known individual with reason to ask.
The standard response to this type event is to double down on awareness training and true to form, several of the organizations mention renewed efforts at helping staff recognize such attacks. But is training alone the answer? If tech-savvy companies like SnapChat and Actifio can fall prey to these scams, will more training really help at industrial supply services like AmeriPride and Central Concrete Supply? It certainly can’t hurt, but these events tell us that a better solution is required. If you have not yet seen our Data Breach QuickView report it shows that 2015 broke the previous all-time record, set back in 2012, for the number of reported data breaches. The 3,930 incidents reported during 2015 exposed over 736 million records.