In this day and age, employees of virtually any company go through extensive information security training. You’ve become adept at recognizing a scam. You know to never give your password to anyone. Before opening any email, you always make sure it’s from a sender you recognize. You’re suspicious of any emails with generic subjects or unusually urgent wording.
Then one day, while at the office, you receive an innocuous-looking email from a senior manager, requesting W-2 information on a specific list of employees. You work in human resources, so it’s normal that someone seeking employee tax information would come to you. The request seems to be coming from a legitimate email address within the company. In addition, the person making the request out-ranks you—and you don’t want to question their authority.
If you’re like most people, such an email wouldn’t give you pause. However, it’s actually a sophisticated type of scam targeting payroll and human resources personnel around the country. Here’s how it works:
A hacker breaks into a high-level executive’s email account. The hacker then sends emails to members of payroll or HR, requesting W-2 information. If any employee emails this information back, they have just provided an identity thief with their colleagues’ Social Security Numbers. The scammer now has the ammunition to wreak havoc on the lives of unsuspecting victims.
How to avoid falling victim
Scammers are becoming increasingly sophisticated. Phishing emails can appear to come from legitimate senders, and their contents may read as trustworthy on the surface. However, employers need to train their employees to never send any sensitive information by email—as this is not a secure transmission method. If you receive an email requesting private information, talk to the sender directly to ensure that the request is valid. Then provide the information in person.