Brian Jackson - Fotolia
An employee was tricked into sending employee tax deduction records known as W-2 forms for 2015 to cyber criminals in response to an email that appeared to come from a company executive.
Email spoofing, or creating email messages with a forged sender address, is a popular method used by cyber criminals to trick people into helping them.
The technique is commonly used in phishing attacks – but is becoming increasingly used to trick people into making large transfers of company funds into cyber criminal accounts.
This type of attack is known as a whaling attack, business email compromise (BEC) and CEO fraud.
In January 2016, Austrian aircraft industry supplier FACC was hit by a $54m cyber fraud believed to have been carried out using this method.
Information on the IRS’s W-2 forms includes all the personal information cyber criminals would need for ID theft and fraud such as name, address, social security number and income.
According to the retailer, the FBI and US Internal Revenue Service (IRS) are investigating, but it gave no indication of how many of its more than 21,000 employees were affected by the breach, according to US reports.
Read more about phishing
- Whaling attacks take phishing to the next level with much bigger targets.
- Phishing is no longer just a consumer problem, say experts. The scams are hurting companies’ reputations and bottom lines.
- Targeted malware attacks and social engineering schemes such as phishing and whaling pose a growing security threat because cybercriminals are getting help from unwitting users.
Training and system configuration
According to information security experts, organisations need to be more proactive about educating employees and configuring IT system to prevent employees from unwittingly helping cyber criminals.
“No type of antivirus can protect an organisation from being the victim of this type of attack. So, once that email shows up in the inbox of that employee in the payroll department, it’s game-on,” said Nathan Sorrentino, marketing manager at security firm STEALTHbits Technologies.
“Until organisations become more proactive in training their employees to look for the signs of this now all-too-common phishing scam, the attacks will continue into the foreseeable future,” he said.
Jonathan Sander, vice-president at access management firm Lieberman Software, said that, rather than blaming the employee concerned, Sprouts should ask why that payroll employee had on-demand access to so much sensitive information.
“If a payroll employee wants one W-2, then maybe you just let them have it. If that same employee wants all of them all at once, then there should be something that triggers – to say this is a different sort of request that deserves more scrutiny,” he said.
Encrypt sensitive emails
While organisations will never stop phishing or ensure that all employees are never fooled by cyber criminals in some way, they can ensure that, when systems are asked to give people extraordinary privilege to access sensitive information, those systems put a check on that power.
“If the system had stopped this employee and made them get an approval from some appropriate authority to lay hands on every single W2 all at once, then maybe we’d be reading about a security success not yet another data breach,” he said.
As phishing has become a growing threat to businesses, information security experts have repeatedly advised against sending sensitive information in the clear using email.
Instead, they advise that such information that is commonly targeted by criminals should be encrypted to ensure that it can be accessed only by authorised users.
“The use of cryptographically signed emails and securely configured mail services with advanced spam filters, sender policy framework (SPF), and DomainKeys Identified Mail (DKIM) configurations can also greatly reduce the likelihood of a successful e-mail scam,” said Craig Young, researcher at security firm Tripwire.