HR Departments: Gone Phishing?

gonephishingOn Tuesday March 1st, the IRS issued an alert to payroll and human resources professionals across the nation, warning of a fresh phishing scam angling for employee data. Like so many other targeted phishing campaigns that have come before it, the latest scheme starts with gathering basic staff information about the company such as the name of the CEO or CFO and who’s who in the HR department – exactly the type of information that is so easily obtained from networking sites such as LinkedIn or a quick read of the friendly “Meet Our Staff” page made a part of so many websites these days. Armed with this information and taking advantage of the fact it’s tax season, the scammers then send spoofed emails supposedly from the C-suite executive to HR requesting W-2 data.  The statement from the IRS indicates the bait has already hooked “several victims”. From recent disclosures, that list appears to include at least twelve companies since early February.


Who How Many Impacted Date Occurred Date Reported
Actifio Not Disclosed February 3, 2016 March 2, 2016
The Brickman Group Not Disclosed February 3, 2016 February 10, 2016
Magnolia Health Corporation 563 February 3, 2016 February 12, 2016
Polycom, Inc. Not Disclosed February 5, 2016 February 12, 2016
Main Line Health 11,000 February 16, 2016 March 2, 2016
Mercy Housing Not Disclosed February 19, 2016 February 22, 2016
Pharm-Olam Not Disclosed February 23, 2016 February 25, 2016
Central Concrete Supply Not Disclosed February 23, 2016 March 1, 2016
AmeriPride Services Not Disclosed February 25, 2016 February 26, 2016
Evening Post Industries Not Disclosed

(all employees appear to be impacted)

February 26, 2016 February 27, 2016
SnapChat 700 February 26, 2016 February 28, 2016
Billy Casper Golf Not Disclosed February 26, 2016 March 2, 2016

The companies that fell for the scam are sizable organizations with hundreds, if not thousands, of employees. As companies grow and become more complex it’s possible (and perhaps even likely) that HR staffers and the persons looking for payroll data have little day-to-day interaction. If it’s not possible or practical to simply walk around the corner to ask for the information, then additional controls should be considered. Any request seeking large amounts of sensitive data should be subject to a verification process. That process can vary from a simple phone call confirming the request to more formal checks and balances. Either way, hitting reply with sensitive data attached should never be the first step in responding to such requests.

Phishing is nothing new and this most recent wave of targeted attacks is a perfect example of how old fashioned trickery is still one of the most effective means of acquiring data. All it took to scoop up thousands of records perfectly suited for filing false tax returns was a timely request for payroll information apparently from a known individual with reason to ask. The standard response to this type event is to double down on awareness training and true to form, several of the organizations mention renewed efforts at helping staff recognize such attacks. But is training alone the answer? If tech-savvy companies like SnapChat and Actifio can fall prey to these scams, will more training really help at industrial supply services like AmeriPride and Central Concrete Supply? It certainly can’t hurt, but these events tell us that a better solution is required.

If you have not yet seen our Data Breach QuickView report it shows that 2015 broke the previous all-time record, set back in 2012, for the number of reported data breaches.  The 3,930 incidents reported during 2015 exposed over 736 million records.