Snapchat recently revealed it had been hit by a major phishing scheme targeting different companies’ payroll and personnel departments. The photo sharing and messaging service said its payroll department had been tricked by a fraudulent email impersonating its CEO, Evan Spiegel, which led to the release of employee W-2 tax forms to unauthorized persons.
Phishing schemes have become the bane of the modern Internet age. Companies – big and small – are frequently duped by fraudsters using spoofing emails, a situation that highlights the need for people to be more vigilant to avoid the headaches that typically follow a data breach or identity theft.
The Los Angeles-based Snapchat did not specify how many employee W-2 tax forms it released, but is said it was managing the situation.
“When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong,” the company said.
Snapchat isn’t the only company to have recently fallen victim to scammers who send fraudulent emails disguised as requests from the company CEO, asking for copies of worker W-2s. Several other major companies have, unfortunately, been tricked in a similar manner.
On Feb. 24, a few days before Snapchat publicly announced it had been hit by the data security incident, Central Concrete Supply Co., based in San Jose, Calif., announced it had also fallen victim to the scammers. The San Jose, Calif. company said in a memo (PDF) that a third party posing as another person convinced one of its employees to provide copies of 2015 W-2 forms via e-mail.
Small Business Deals
Similarly, Seagate Technology was tricked into relinquishing tax documents last year, which exposed its workers’ incomes, Social Security numbers and addresses. The disk-drive maker acknowledged surrendering the W-2s for all of its current and former employees who worked at the company.
The affected companies have all notified federal authorities about the phishing attacks, and Snapchat and Seagate have said they are offering affected workers two years of free credit monitoring.
When Phishing Attacks Commonly Occur
Phishing attacks commonly happen during holidays and around other important times like tax season. The attacks prey on people’s routines, exploiting human gullibility rather than weaknesses in computer or Internet security, explains Fatih Orhan, director of technology at security firm Comodo.
And, sadly, the phishing attacks are becoming increasingly effective precisely because they are now relying on the powers of persuasion instead of a dubious email link or attachment that might raise suspicion, says Ed Jennings, chief operating officer at email security company Mimecast.
“It’s just like someone who convinces you to hand over $20 on the street,” Jennings adds.
It’s unclear how many small businesses and large firms have been taken in by the W-2 tax scam, but hundreds of companies appear to have been targeted, according to Stu Sjouwerman, CEO of KnowBe4, a Florida company that trains employers to detect and avoid such scams.
The attacks have been so widespread that, on March 1, the IRS posted a press release to alert HR, accountants and payroll professionals of the phishing scheme.
Although the IRS did not disclose how many companies had reported being duped by the targeted phishing scammers, the agency said the spoofing emails have so far claimed “several victims.”
The IRS also added that it has seen a 400 percent increase in phishing and computer malware incidents this tax-filing season. “It’s premature to provide numbers at this point, but even one company being fooled by these criminals is too many,” the IRS said in a statement.
As cases of phishing persist, it is important that business execs, employees and payroll specialists are aware of the scams and stay alert so that companies aren’t taken in. Employees should also get adequate training to question why a CEO would need to see individual worker W-2s in the first place.
“If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees,” IRS Commissioner John Koskinen said in the press release.
Hopefully, this phishing alert comes to you early enough before scammers pretending to be someone they are not catch you flat-footed and leave you scrambling to respond to a serious data breach.
Image: Small Business Trends via Snapchat
More in: Cybersecurity