W-2 Tax Email Scam Has Employees Giving Out Personal Information
If you haven’t heard the term “whaling attack,” as it relates to the hacking community, you’re not alone. It’s a fairly recent phenomenon, and is a subset of the standard phishing attack, where hackers will contact employees of a company in an effort to get user IDs, passwords, or other sensitive information out of them.
A whaling attack is essentially the same, thing, but it specifically targets or impersonates high ranking members of a company, with the usual goal being to trick the contacted employee into sending sensitive or proprietary data via a non-routine, unsecure channel, or to otherwise compromise standard security protocols.
The most recent case of a successful whaling attack was made against Sprouts grocery, when an employee at the company’s Arizona headquarters was contacted by what he thought was one of the company’s senior executives, asking for the W-2’s of all 21,000 company employees.
Since the email appeared legitimate, the employee did as directed and sent the requested information, only finding out later that something was wrong.
This underscores how important security protocols are. The fact that a request of that magnitude came via email instead of through a more formal channel should have been a red flag, but it wasn’t. It also underscores how much room there is for improvement in terms of designing “smart” data security policies.
In other words, it’s one thing if someone in the payroll or accounting department accesses a W-2 for an individual employee. That shouldn’t raise any hackles, and there are any number of perfectly valid reasons for doing so. On the other hand, it would be somewhat unusual for an employee to need access to all 21,000 records, which should have triggered an internal alert, so that the matter could have been brought to someone’s attention while there was still time to prevent the data from being unwittingly put into the wrong hands.
The good news is, there are lessons to be learned from events like this one, and we have the tools today to put smart policies like the one described above into place. It’s just a matter of having the will, and taking the time to do it.
If you’re concerned that your company’s data security policies aren’t everything they should be, contact a data security specialist and let them help you. They can evaluate your existing system, and make specific, hard-hitting recommendations for how you can improve so as to better protect your sensitive and valuable information.