Go to Top

W-2 Fraud: Are Your Clients Prepared for a W-2 “Phishing” Attack?

Tax Season Creates a Spike in These Catastrophic Incidents

The Background

Your HR Director walks into your office: her face ashen, her voice trembling. Earlier that day, she received an email from the company CFO asking her to email all employee W-2 forms to him. In her typical efficient manner, she complied immediately. The email from the CFO, however, was a phony. It was a “spoof” email sent from a criminal organization that had registered an email / web domain that was a minor variation of your firm’s email address. (Example:  john@acme.com vs. john@acmee.com.) The subtle difference went unnoticed, and the W-2 forms, containing names, social security numbers, earnings, and addresses of your 300 employees are now in the hands of an organized criminal in Russia. Ouch.

What follows next is a firestorm. A true business disaster that will include police reports, lawyer fees, notification letters, credit monitoring, and potential regulator attention…not to mention the possibility of litigation.

A Troubling Trend with Real Risks to Small Businessesphishing

W-2 fraud (a highly targeted version of a “phishing” scam) is a multi-million dollar industry, and law enforcement agencies are reporting a significant increase in these crimes, up over 100% from years past.

•   60% of data breaches are the result of non-malicious employee errors
•   87% of cyber insurance claims are coming from small to mid-sized businesses

It Gets Worse

Lest you think you can shift this risk to your cyber insurance carrier, think again. The recent Apache Corp. v Great American Insurance Co. case is a reminder that in cases in which employee error rather than an outside “hack” was the root cause of the loss, a cyber insurance provider may not pay the claim. In Apache, the court upheld the insurance company’s position. A $7 million loss attributed to the error of an accounts payable employee, who fell victim to a phishing scam, was not covered by a cyber policy.

The Takeaways

Disaster Recovery Plan, DRP1.     Training.  As usual, training and awareness is the key to successfully getting ahead of these losses. Communicate these risks to your employees. Keeping employees up to date on the latest scams and cyber crimes can raise awareness and decrease the likelihood of data loss.

2.     Testing and Rewards. Some companies have turned to information security companies to conduct “tests” of employee conduct by sending out sample phishing emails to see which employees bite. Poor behavior is counseled, and those employees that ignore or report the phishing scam are rewarded with gift cards. This is something to consider.

3.      IR Plan.  Dust off your Incident Response Plan. Make sure your plan is up to date, has the current contact information on key members of your IR team, and has been recently tested. Practice your plan at least twice per year.

 

, , , , , ,