It’s that taxing time of the year.   Employees have received W-2 forms and the tax filing season has begun in earnest.  And, as night follows day, last year’s W-2 spear-phishing scam has returned.  The IRS and state tax authorities have issued a new alert  to HR and payroll departments to beware of phony emails intended to capture personal information of employees.   The emails generally appear to be from a senior executive (typically the CEO or CFO) to a company payroll office or HR employee and request a PDF or list of employee W-2 forms for the tax year.   Those forms contain all the information any cybercriminal needs to file a fraudulent tax return for a tax refund.   That scam cost the US taxpayer about $21 billon in 2016.  Over 70 companies fell victim to the 2016 scam and hundreds of thousands of employee records, including Social Security numbers, were compromised.

To refresh your memory, here are some of the details that may be contained in the emails:

  • Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
  • I want you to send me the list of W-2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

We’ve already seen some activity on this front being reported from around the country.  These incidents not only create angst for employees, but they constitute data breaches reportable under state law because personal information has been exposed to an unauthorized (and unknown) individual and the risk of identity theft is high.   Last year’s incidents also resulted in class action lawsuits by employees against some of the victimized companies.

Employees Are Front Line of Defense

These emails look absolutely legitimate.  That is what makes them so effective.  The header of the email may look exactly as one would expect, mirroring the company fonts, duplicating automated signature blocks, and containing the actual email address of the spoofed executive in the “From:” line. Often, the return email address won’t even be visible until after the reply is sent unless the user specifically expands the address field. If you look carefully, it is likely that the domain name is a few characters “off” from the company’s legitimate domain name, such as substituting the number one (1) for the letter “l” or replacing a “.org” with a “.com”.   The more sophisticated attacks may utilize information obtained from LinkedIn® or social media designed to lull the target into a false sense of trust.

Awareness of these attacks and the problem is the key for employees.   

Train employees — particularly HR and payroll employees — who handle sensitive information to be wary of direct requests for personal information from company executives.   Send out samples of such emails and establish a campaign to raise employee consciousness.  A bit of skepticism goes a long way in protecting against this type of attack.  Confirmation of this type of request should be standard operating procedure, no matter who appears to have sent it.   Your company’s IT department should also be monitoring for phishing trends and remaining on the alert for suspicious outgoing activity, including large files or attachments.

Ask.  Since we have already seen reports of these attacks very early in this tax year, it is time to check in and insure that your company has not already fallen victim.   It’s important to respond quickly to reduce total damage to the organization, and most importantly, to your employees.  Affected individuals can protect themselves with certain forms filed with the IRS – but it’s only effective if they know soon enough.

 

The Mintz Levin Privacy team is here to help with employee training or preparing a plan to respond to an incident.

As published in our sister blog, Health Law & Policy Matters

OCR Provides Additional Clarification on Phishing Scam

As we reported earlier this week, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights described a phishing campaign that is attempting to convince recipients of their inclusion in OCR’s Phase 2 audit program. The email, which was disguised as an official communication, suggests that recipients click on a link. This link takes recipients to a non-governmental website marketing cybersecurity services.

On Wednesday, OCR followed up their alert with additional details about the phishing campaign. According to OCR, the phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a URL at http://www.hhs-gov.us. OCR points out the subtle difference from the official email address for its HIPAA audit program, OSOCRAudit@hhs.gov, noting that such subtlety is typical in phishing scams.

OCR also took the opportunity to confirm that it has notified select business associates of their inclusion in the Phase 2 HIPAA audits.  For more information about the Phase 2 audit program please visit our earlier post.

The FBI warned this summer that the “Business Email Compromise” (“BEC”) scam continues to grow, evolve, and target businesses of all sizes. As reported by the FBI in June, the scam had hit more than 22,000 victims for a combined dollar loss of greater than $3 billion – that’s billion with a B! And the latest evolution is even more threatening, potentially causing breaches of protected data.

What is the BEC scam? Why have so many been taken in? And how can you protect yourself?

The BEC scam is a smart, targeted scheme using emails that appear genuine, usually seeming to originate from within the victim’s company or from its suppliers/contractors.  For example, the company’s CFO may receive an email that seems to come from the CEO, urgently directing funds to be wired to a specified account for a seemingly legitimate purpose. Or the email may appear to come from a supplier or contractor and seek payment on an invoice that appears legitimate. If the company wires funds as directed, the funds are transferred offshore and become unrecoverable.

The scam has been highly effective because BEC emails mimic legitimate requests. The perpetrators research their victim to learn its protocols, its counterparties’ names, its payment methods, etc. They often use social engineering techniques (e.g., phishing emails requesting info) to learn details about the targeted business. The successful perpetrators learn which individuals are necessary to perform wire transfers and what protocols are used. They may learn when the CEO is traveling, so that an email from the CEO directing payment would not be questioned. The perpetrator may have hacked and used a valid email account for this purpose, or may have established an account with a similar domain name. Their level of sophistication has enabled the theft of billions of dollars.

Earlier this year, the FBI started receiving reports that this highly successfully scheme has evolved into a means to obtain confidential information, leading to data breaches. For example, an email request to the human resources department may prompt the disclosure of W-2 forms or other confidential, personally identifiable information (“PII”). The FBI reports that victims have fallen for this new data-theft BEC scenario, even if they were able to successfully identify and avoid the traditional BEC scam.

We all have learned (hopefully) not to click links in suspicious looking emails. But trusted emails receive less scrutiny. What steps can you take to avoid being hit?

  • If an email is directing payment by wire or seeks protected information, it merits special treatment.
  • TRAIN employees and establish clear protocols for wire transfers and data privacy.
  • Beware of sudden changes in business practices. Require secondary sign-off by company personnel when a change in payment method is requested.
  • Always verify requested changes via other channels. Don’t click “reply”. Instead, call the sender to verify; and use a trusted phone number, not a phone number appearing in the email. Or forward the email to the sender after typing a trusted email address, and seek confirmation.
  • Be suspicious of requests for urgent action or secrecy.
  • Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail.
  • In addition, diligently maintain data and email security. Educate employees to be alert to social engineering situations, and to delete phishing emails. Establish two-factor authentication for email accounts.

If you have questions about how to train employees and avoid these phishing scams, contact a member of the Mintz Levin Privacy team.

Privacy & Security Matters Monday Blog Series ImageA new month, a new Privacy Monday.

JPMorgan Chase:  Baiting the Hook for Phishers 

Cybercrime researchers say that the 83 million customer records (76 million consumer and 7 million small business) swiped from JPMC could be the fuel for years of fraud.  In its 10-K filing with the Securities and Exchange Commission, JPMC disclosed the nature and scope of the information.   See herePay attention to the fact that hackers penetrated one of the world’s largest banks and stole nothing of apparent value:  they did not steal a single account number, Social Security number or password.  Continue Reading Privacy Monday – October 6, 2014

Written by Amy Malone

Last week the FBI released a fraud alert warning financial institutions that cyber criminals have been using tactics such as spam and phishing emails to obtain employee log-in credentials.  After obtaining the credentials the hackers initiated wire transfers oversees.  A few days after the alert, Bank of America, JPMorgan Chase  and Wells Fargo suffered service outages that prevented access to their websites.  According to security experts, such outages were likely caused by denial of service attacks that disrupt the service to websites by overloading the servers with traffic so that they cannot respond to legitimate requests.

These attacks have been aimed at financial institutions, but are a good reminder to all organizations that cyber security remains an important aspect of your company’s overall security.  Technology is constantly changing and hackers are always finding new ways to penetrate systems so it’s important for organizations to analyze their systems and make updates as necessary.

Where do you start?  Below are a few tips for combating cyber security threats:

1) Remain vigilant.  No security system is 100% secure so it’s important to review the safety measures you have in place and identify gaps.  A good way to identify such gaps is by hiring a third party to perform penetration tests on your systems.  Malicious attacks are simulated in penetration tests which will enable your organization to identify how your protections fail.  It’s also important to run regular scans of your network for vulnerabilities and make sure your firewalls are as strong as possible.  Investing in security technology before you have a breach will save your organization time and money in the long run.

2) Train your employees.  According to a recent article published by Computerworld, most data breaches are inadvertently caused by employees.  An organization can have the most robust cyber security system available, but if employees are not trained and re-trained about the importance of protecting sensitive information then there are going to be data breaches.  It’s important to educate employees on how to protect information, including the threats posed by spam and phishing emails.

3) Encrypt, encrypt, encrypt.  Encryption of information at all stages will  information useless if it is obtained during a hack.

4) Vet your vendors.  Is your company providing sensitive information to third parties (storing documents offsite?  That counts!)?  If so, it’s essential that your company conduct reviews of vendors to ensure their security measures meet your standards.   What about your vendor’s vendors?  See our previous blog here discussing that topic.

Protecting your company’s personal information is an on-going challenge.  If you need help building your data security program contact any member of your Mintz Levin service team, or one of Mintz Levin’s privacy lawyers.

4:44 PM — LinkedIn has confirmed reports of hacking –

http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/

 

It’s time for a little password hygiene.

ZDNet reports that a Russian organization claims to have downloaded over 6.4 million passwords from LinkedIn.  They also report that some 300,000 of them may have already been accessed.  LinkedIn has yet to confirm these details and continues to investigate if any security breach has occurred.

All LinkedIn users are encouraged to change their passwords —  and, as we’ve advised with respect to other hacks,  if you use your LinkedIn password for multiple sites you may want to update passwords for those sites as well.  Users should also be aware that the hackers may send phishing emails in attempts to gain more information about them or may use the information accessible on LinkedIn to exploit in social engineering attacks.

Read more about this latest hack –

Los Angeles Times

Forbes

The Guardian

The Sun

By now, you’ve probably received one or more emails like this:

Dear Valued Best Buy Customer,

On March 31, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Best Buy customers were accessed without authorization.

We have been assured by Epsilon that the only information that may have been obtained was your email address and that the accessed files did not include any other information. A rigorous assessment by Epsilon determined that no other information is at risk. We are actively investigating to confirm this.

For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails. As our experts at Geek Squad would tell you, be very cautious when opening links or attachments from unknown senders.

In keeping with best industry security practices, Best Buy will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, www.bestbuy.com. If you receive an email asking for personal information, delete it. It did not come from Best Buy.

Our service provider has reported this incident to the appropriate authorities.

We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. For more information on keeping your data safe, please visit:
http://www.geeksquad.com/do-it-yourself/tech-tip/six-steps-to-keeping-your-data-safe.aspx.

Sincerely,

Barry Judge
Executive Vice President & Chief Marketing Officer
Best Buy

We’ll explain after the jump —

Continue Reading Major e-mail data breach occurs at mega-marketer