During the past few weeks, many companies have been targeted by an email phishing scheme that has resulted in the disclosure of confidential personal information of numerous employees and other persons. The email is usually the same: a spoofing email from the CEO (or some other high-level executive) asking human resources, accounting or payroll departments for W-2 information. A cybercriminal armed with this information can then file fraudulent tax returns and receive an individual’s tax refund. In many cases, fraudulent returns are filed within days of the theft of the information.

While the IRS has circulated an alert highlighting this scam, we continue to see companies fall victim to this scheme, including recent news reports that Snapchat and Seagate Technology have released sensitive payroll data to cybercriminals posing as company executives.

To prevent falling victim to this scheme, we urge you to quickly alert your employees and staff members, especially your human resources, accounting and payroll departments, to closely scrutinize any request for personal information, particularly W-2 or payroll information. At a minimum, inform your employees and staff members to do the following:

  1. call the sender of the email requesting the information and verify that he or she indeed made the request (e.g., if the email appears to come from “Jane Doe, CEO,” call Jane Doe to verify before sending any requested information); and
  2. rather than replying to the original email, only send the requested information by composing a new email message to a known email address for the sender (e.g., compose an email to Jane Doe, using her known email address from the company directory).

In addition, you should inform employees that the phishing email is often similar to the format below:

Subject: SALARY REVIEW

Hello,

Kindly send me the 2015 W-2 (PDF) of our company staff for a quick review.

Thanks,

CEO Name

Many hackers can obtain the necessary information to perpetrate this scam from a corporate website or individual’s LinkedIn profiles. As discussed in a previous update, hackers use spear phishing scams to target individuals or businesses by posing as a friend, colleague or other business that routinely interacts with the individual or business and then requests certain personal or proprietary information. For many businesses, disclosing sensitive and valuable information can cause significant costs and expenses triggered by federal and state data privacy and security laws, including costs associated with complying with data breach notification requirements.

We will continue to monitor and provide updates regarding this latest scheme. If you have questions or any other cybersecurity concerns related to your organization, please contact an attorney on our Data Security & Privacy Team.