SECURITY ALERT: Stop Sending W-2s to Hackers!

W-2 Phishing Attacks Impacting Virginia Businesses

Last year, hundreds of Virginia businesses fell victim to W-2 phishing attacks. A phishing attack is a socially-engineered attempt to obtain sensitive information from an individual or company. During a phishing attack, the attacker often sends an email which appears to come from a high-ranking employee within the targeted company. W-2 scams are a specific type of phishing attack which target the W-2s of employees, often around tax season, in order to steal their identities for financial gain. W-2 phishing attacks have a high rate of success for the hackers and can be very costly for the business. Breach notification requirements and legal fees can cost tens of thousands of dollars or more. As we enter the 2019 tax season, it is critical that your company is vigilant against this type of cyber attack. 

IRS W-2 Scam Alert

in November, the IRS updated their alert about W-2 phishing attacks which encouraged businesses to be vigilant. The IRS alert indicated a significant increase in phishing attacks since this time last year. At Bluestone Analytics, we have worked with numerous companies who have been victims of this crime last year. We want to provide meaningful information that will help other Virginia companies avoid the same issues in 2019. 

How Does a W-2 Scam Work?

The W-2 phishing attacks tend to successfully exploit human emotions. The attackers try to convey a sense of urgency or fear in the individual they target with the phishing email. In Virginia, we tend to see W-2 phishing emails sent to administrative assistants, financial analysts, or interns. The emails often appear to come from the CEO, COO, or CFO and demand the W-2s be sent immediately. Too often, the employees simply comply as they are too uncomfortable to ask if their boss is actually asking for the sensitive data. An example W-2 phishing email can be seen below.

Would your employees be able to spot this scam?

Would your employees be able to spot this scam?

4 Steps to Preventing Phishing Attacks

1. Employee Awareness is Key!

It may seem obvious, but making your employees aware of the threat of a W-2 phishing attack will drastically decrease the likelihood one of your employees falls victim. Share this blog post with your employees in order to provide a basic understanding of the problem and some ways to identify a potential attack. 

2. Empower Vertical Communication

The best way to defeat W-2 scams is to empower ANY employee in your company to verify a request for sensitive data. Even the newest intern should be able to call the CEO if she gets a suspicious email. Just verifying that the request for sensitive data is legitimate would defeat the vast majority of W-2 phishing scams. No sensitive data should leave your company without a verbal verification. 

3. Create a Formal Anti-Phishing Training Program. 

Phishing attacks are the most common form of cyber attack currently threatening businesses. On average, untrained employees click on a phishing email about 40% of the time. With such a high click-through-rate and almost no risk to the threat actor, it is unsurprising that phishing emails have dramatically increased. Training your employees to be able to spot phishing emails will help decrease the chance that your business becomes a victim. Phishing emails often have common distinguishing features that can be spotted with proper training.  Our approach to anti-phishing training starts with short educational modules and then we test your employees with simulated phishing emails and measure the results. Through our process, we have reduced our clients' phishing click-through-rates from 40% to 2%, dramatically reducing their risk exposure.  

4. Develop an Incident Response Plan. 

While the techniques listed above are effective in reducing the likelihood of a phishing attack, your company should have a plan in place if an attack is successful. Companies that have an incident response plan in place recover faster and minimize the amount of sensitive data lost in an attack. Bluestone Analytics provides custom-designed incident response plans that empower businesses with the tools and processes they need to deal with an already difficult situation. 

Bluestone Analytics Protects your Data.

Bluestone Analytics has helped many Virginia businesses recover from W-2 phishing attacks. We want to help your company prevent these attacks before they happen. We help businesses protect sensitive data and valuable intellectual property.  For more information, or a free consultation please contact us.