At the beginning of last year, dozens of businesses began to report similar attacks—social engineering attacks looking to acquire W-2 information. As the year progressed, additional attacks were reported, and now, in the midst of the 2017 tax season, businesses should brace for W-2 phishers.
How Does a W-2 Phishing Attack Work?
Companies small and large reported attacks in which an upper-level manager or C-level executive sends an email request to payroll and human resources asking for actual employee W-2s or data from W-2s. The data requested includes names, Social Security numbers, dates of birth, home addresses, and salary information. The emails are actually phishing attacks but they have been so convincing that many companies have compromised their employees’ W-2 data.
The Trend Isn’t Slowing
The situation has become so widespread that the IRS issued an alert to payroll and human resources employees regarding possible W-2 phishing attacks. With a 400% surge in phishing and malware incidents in the 2015 tax season, companies need to be prepared for an increase this year.
How to Protect Against W-2 Phishers
Traditional awareness programs aren’t as effective when they involve suspicion between departments such as human resources and executive-level employees. A better approach is to train all employees to be empowered to question any requests for sensitive information. Training your staff to understand they are supported when they are suspicious of a potential data breach threat will create an atmosphere of vigilance and internal trust.
Creating a Secure Posture as a Company
It can be a tricky task to train employees, not only to be vigilant and proactive, but also to feel supported in questioning any requests for sensitive data. Security Pursuit can help. We offer comprehensive training and awareness programs. We can also perform penetration testing that challenges employees’ susceptibility to social engineering attacks. This combination of education and testing will give your organization a clear picture of your vulnerabilities as well as the tools you need to train your staff and protect your data.