Employers beware: Phish scammers target human resources departments

Anticipating cybercrime could help HR departments take better steps toward cybersecurity.

Anticipating cybercrime could help HR departments take better steps toward cybersecurity.

Unfortunate tax news as a major phishing scheme has tricked several major companies into relinquishing tax documents that exposed their workers’ incomes, addresses and Social Security numbers. Hundreds of companies appear to have been targeted, both enterprise level and small businesses.

The scam, which involved fake emails purportedly sent by top company officials, convinced the companies involved to send out W-2 tax forms that are ideal for identity theft. For instance, W-2 data can easily be used to file bogus tax returns and claim fraudulent refunds.

Although employers are apologizing profusely to their staff, those apologies do nothing to protect the latter from identity theft. The scheme has become so widespread it has caused the IRS to act, releasing a statement on March 1 alerting payroll departments of the scam.

Basically this is a human error, not a technological one. Thieves target personnel with emails claiming to be the CEO and asking for copies of everyone’s W2s. The Eastern European hackers are then selling the information to others.

“Phishing attacks commonly occur during holidays and other annual events, such as tax season, to prey upon people’s routines”, said Fatih Orhan, director of technology at security firm Comodo.

The most effective phishing attacks use emails decked in company logos and colors to reduce the chances of detection, Orhan said. Even without a red flag like that, payroll and personnel specialists should be trained well enough to question why a CEO needs to see individual worker W-2s in the first place.