March 7, 2016 • RBS

On Tuesday March 1st, the IRS issued an alert to payroll and human resources professionals across the nation, warning of a fresh phishing scam angling for employee data. Like so many other targeted phishing campaigns that have come before it, the latest scheme starts with gathering basic staff information about the company such as the name of the CEO or CFO and who’s who in the HR department – exactly the type of information that is so easily obtained from networking sites such as LinkedIn or a quick read of the friendly “Meet Our Staff” page made a part of so many websites these days.

Armed with this information and taking advantage of the fact it’s tax season, the scammers then send spoofed emails supposedly from the C-suite executive to HR requesting W-2 data.  The statement from the IRS indicates the bait has already hooked “several victims”. From recent disclosures, that list appears to include at least twelve companies since early February.  

WhoHow Many ImpactedDate OccurredDate Reported
ActifioNot DisclosedFebruary 3, 2016March 2, 2016
The Brickman GroupNot DisclosedFebruary 3, 2016February 10, 2016
Magnolia Health Corporation563February 3, 2016February 12, 2016
Polycom, Inc.Not DisclosedFebruary 5, 2016February 12, 2016
Main Line Health11,000February 16, 2016March 2, 2016
Mercy HousingNot DisclosedFebruary 19, 2016February 22, 2016
Pharm-OlamNot DisclosedFebruary 23, 2016February 25, 2016
Central Concrete SupplyNot DisclosedFebruary 23, 2016March 1, 2016
AmeriPride ServicesNot DisclosedFebruary 25, 2016February 26, 2016
Evening Post IndustriesNot Disclosed (all employees appear to be impacted)February 26, 2016February 27, 2016
SnapChat700February 26, 2016February 28, 2016
Billy Casper GolfNot DisclosedFebruary 26, 2016March 2, 2016

The companies that fell for the scam are sizable organizations with hundreds, if not thousands, of employees. As companies grow and become more complex it’s possible (and perhaps even likely) that HR staffers and the persons looking for payroll data have little day-to-day interaction. If it’s not possible or practical to simply walk around the corner to ask for the information, then additional controls should be considered. Any request seeking large amounts of sensitive data should be subject to a verification process. That process can vary from a simple phone call confirming the request to more formal checks and balances.

Either way, hitting reply with sensitive data attached should never be the first step in responding to such requests. Phishing is nothing new and this most recent wave of targeted attacks is a perfect example of how old fashioned trickery is still one of the most effective means of acquiring data. All it took to scoop up thousands of records perfectly suited for filing false tax returns was a timely request for payroll information apparently from a known individual with reason to ask.

The standard response to this type event is to double down on awareness training and true to form, several of the organizations mention renewed efforts at helping staff recognize such attacks. But is training alone the answer? If tech-savvy companies like SnapChat and Actifio can fall prey to these scams, will more training really help at industrial supply services like AmeriPride and Central Concrete Supply? It certainly can’t hurt, but these events tell us that a better solution is required. If you have not yet seen our Data Breach QuickView report it shows that 2015 broke the previous all-time record, set back in 2012, for the number of reported data breaches.  The 3,930 incidents reported during 2015 exposed over 736 million records.

Our products
Vulnerability Intelligence
Learn more
Cyber Risk Analytics
Threat Intelligence
Learn more
Risk Management
Learn more
Request Demo