It’s getting close to Tax Day in the US, and if you haven’t filed your taxes yet, you really should go ahead and do it before a cybercriminal does it for you.
Cybercrooks are boldly targeting companies with campaigns designed to steal employees’ personal data, frequently through targeted emails claiming to come from within the company.
This kind of scam, called spear-phishing, can trick employees into divulging sensitive information, as we saw late last month when Snapchat was snared by a targeted email that appeared to come from Snapchat’s CEO and requested data on current and past employees.
The reason the crooks want to steal employee data, as opposed to customer data, is that companies hold all of the relevant information on their employees that crooks can use to file fraudulent returns, usually all stored in one form called a W-2.
Two more big companies have fallen prey to spear-phishing attacks targeting employee data in the past couple of weeks, although there is no evidence at the moment that links them to one another.
Mansueto Ventures, which publishes the business magazines Fast Company and Inc., was hit by a spear-phishing campaign targeting Mansueto Ventures employee payroll information, according to Business Insider (BI).
The stolen payroll information included the names, addresses, Social Security numbers and wage data for current Mansueto Ventures staff.
In a statement released to BI, Mansueto Ventures said it is notifying employees about the incident and is “focused now on efforts to mitigate fraudulent use of the data.”
Seagate, a data storage company, was also phished by hackers seeking employee data for tax fraud, according to security blogger Brian Krebs.
Krebs reported that all Seagate’s employees’ W-2 tax documents containing Social Security numbers, salaries and other personal data were stolen to an attacker whose phishing email appeared to come from an internal Seagate address.
A spokesman for Seagate told Krebs that “several thousand” past and present Seagate employees were affected.
Similar spear-phishing attacks occurred recently at the domain registration company Rightside, where employee W-2 forms were stolen, and at KnowBe4 – a security awareness training company whose CFO sniffed out the phish and prevented a data breach.
Tax fraud scams are big business for cybercrooks, who have also repeatedly targeted the Internal Revenue Service (IRS) to steal historical tax records that can be used to file for tax returns.
The IRS says it has seen a 400% rise in phishing attacks in the past year.
💡 READ NOW: Tips to avoid phishing and spear-phishing – stay #CyberAware! ►
Image of sharks courtesy of Shutterstock.com.
Laurence Marks
The problem here is that too many companies do not have the proper internal firewalls and network partitions to restrict this (and other) kinds of sensitive information to only the folks who definitely need access. Only the 2% of payroll employees need access to W-2 information, but in small companies–and it’s easy to train that 2%. But in smaller companies, 100% of the people could have access. Same with sensitive engineering data, test data, employee medical records, patents-to-be-filed, and other data.
There’s no easy toolkit to split up networks or file/database accessibility–somebody has to figure out how to do VPNs and network subnets. At least with the mainframe, you had RACF–define groups and files/databases they could access, hierarchically. Then allow the users into only the groups they need. Maybe there’s an opportunity for Sophos here.