On March 1, 2016, the Internal Revenue Service alerted the business community of an e-mail phishing scheme designed to convince employees to provide company-wide W-2 tax forms containing social security numbers and other personally identifiable information [view related post]. While the scam has taken different forms, the most prevalent approach is a purported internal e-mail from a company’s CEO or CFO to his/her payroll and/or human resource employees requesting all issued W-2s.
While the IRS warning noted that the scam already resulted in “several victims,” the phishing efforts are, unfortunately, working on a much larger scale. The director of Experian’s data breach resolution group stated earlier this month that the information services company is handling more than 70 data breaches a week resulting from this one type of phishing scam. Perhaps this number is not too surprising when one considers the 100 billion spam e-mails sent daily.
Incidents of employee negligence continue to be one of the primary causes of data breaches suffered by companies both big and small. Companies may want to strongly consider implementing proactive measures designed at reducing the likelihood of breaches. This could include appropriate employee training, monitoring and advising employees of recent phishing trends and installing appropriate software designed to block spam e-mails before they hit employee inboxes. Businesses may also contemplate establishing programs designate to reward employees who report potential attacks as opposed to punishing employees who mistakenly respond to a phishing e-mail.