Scam Artists’ Latest Target: HR!

A story appearing earlier this week on the Milwaukee Journal Sentinel website—about a series of phishing incidents that targeted and successfully scammed corporate HR departments into sharing confidential personnel information—recently caught my attention.ThinkstockPhotos-487606535

It serves as a  reminder, in the event one is required, that HR departments need to be much more vigilant in their efforts to protect against such attacks—which continue to become more frequent and sophisticated—or suffer the consequences.

As the MJS story explains, the scam, involving fake emails purportedly sent by top company officials, convinced HR staffers to “send out W-2 tax forms that are ideal for identity theft.” Among the employers featured in the story falling victim: disk-drive-maker Seagate Technology and messaging-service Snapchat.

On March 1, the Internal Revenue issued an alert to payroll and HR professionals to beware of an emerging phishing email scheme that purports to be from company executives and requests personal information on employees.

“The IRS has learned this scheme—part of the surge in phishing emails seen this year—already has claimed several victims as payroll and human resources offices mistakenly email payroll data including Forms W-2 that contain Social Security numbers and other personally identifiable information to cybercriminals posing as company executives,” the alert said.

IRS Commissioner John Koskinen noted that …

“This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments. If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”

The IRS alert explained that this “phishing variation is known as a ‘spoofing’ email. It will contain, for example, the actual name of the company chief executive officer. In this variation, the ‘CEO’ sends an email to a company payroll-office employee and requests a list of employees and information including SSNs.”

The MJS article reports that both Snapchat and Seagate have “notified federal authorities” about the incidents and are offering affected workers two years of free credit monitoring.

Risa Boerner, a partner in Fisher & Phillips’ Radnor, Pa., office and the chair of its Data Security and Workplace Privacy Practice Group, told me yesterday that scam artists are becoming much more sophisticated in their efforts.

Today, she explained, they can clone a CEO’s email account and make it look like it’s coming from him or her, as was the case here. While that was possible 10 years ago, she added, it wasn’t very common for the messages to look as polished and believable as they often do today.

She noted that these incidents speak to the need for employers to not only thoroughly train their employees, but also update their training regularly to keep up with changing tactics. “What was current two years ago may not be current now,” she said.

Prudent advice, I’d say, considering the level of sophistication of the perpetrators. I’m sure no one reading this would like to see his or her company join the ranks of those falling victim to such a ploy—and then having to deal with the aftermath.