Employers face growing risk in tax season: 'spear phishing'Reprints
Emails sent to payroll and human resources departments seeking personal information may look like they are from the CEO rather than what they really are: “phishing” attacks that have grown so numerous that the IRS has issued a warning.
Several attorneys say they have clients whose employees have fallen victim to these “spear phishing” or “spoofing” emails, generally presented as urgent requests for information such as Social Security numbers and W-2 forms that often are carefully written in the same style favored by the executive whose identity is being faked. The adjective “spear” has been added to the term “phishing” because of the precision of these emails' targets.
“If your CEO appears to be emailing you for a list of company employees, check it out before you respond,” IRS Commissioner John Koskinen said in a statement earlier this month about the scam that has ramped up this tax season. Consumer complaints about the scams were up 400% through mid-February, the IRS said.
Firms that have reported phishing breaches include Cupertino, California-based Seagate Technology L.L.C.; Venice, California-based Snapchat Inc.; and Irondale, Alabama-based Eternal Word Television Network Inc., a Catholic network.
“It's hitting everywhere. I'd be surprised if there's an industry or a sector that's not being affected,” said F. Paul Greene, a partner at Harter Secrest & Emery L.L.P. in Rochester, New York.
“The thing that's new this time round is it's focused on HR,” said Mr. Greene. Three or four years ago, criminals focused on chief financial officers and financial departments, which would receive a wire to send money to a certain account.
“Companies quickly learned to tighten their financial controls to forbid wire transfers based on email. Now, they're learning their HR information has just as much value,” he said.
“Because it is tax season, HR department and payroll employees are accustomed to receiving requests from some executives about various tax-related issues, and that's maybe why they're more susceptible to believing these are valid requests,” said Melinda McLellan, counsel at Baker& Hostetler L.L.P. in New York.
In one case, the scam was discovered when an employee filed his income tax return and was told it had already been filed, said William H. Latham, a partner at Nelson Mullins Riley & Scarborough L.L.P. in Columbia, South Carolina.
“The criminals are doing their homework,” said Ben Beeson, Washington-based cyber risk practice leader at Lockton Cos. L.L.C. They will investigate the person they want to pretend to be through Facebook or LinkedIn, build a profile of that person and use it to create a successful attack, he said.
Cyber criminals may already “have been in your system, looking at how the communications are written so they can mimic the tone and the structure of the emails as closely as possible,” said Eric C. Cernak, Munich Reinsurance Co.'s U.S. cyber and privacy practice leader in Hartford, Connecticut.
“It's simple, it's elegant and it's been effective because of the time of year and the sense of urgency communicated in the messaging,” said Douglas F. Brent, counsel to Stoll Keenon Ogden P.L.L.C. in Louisville, Kentucky.
Many companies have warned employees about the dangers of malware, ransomware and credit card fraud, so an email with no attachment and a simple request from a known person “catches people with their guard down,” he said.
Training and vigilance is important, say observers.
“Rarely will a business make a valid request of sensitive information by email,” said Mr. Greene, “so it's matter of looking internally, identifying where the risk is with respect to information and figuring out how to close the gaps,” he said.
Anyone with access to personal information “should be given regular training as to things to look out for,” said Mr. Latham. Many companies are hiring firms to conduct tests “to see if employees are biting on these phishing attempts,” but they also should also have a culture “where you can question an email,” he said.
“The savvy HR folks are picking up the phone and asking, "Why do you want this?' and the CFO is saying, "What are you talking about?' “ said Linn Foster Freedman, a partner at Robinson & Cole L.L.P. in Providence, Rhode Island.
Software is also available that can warn if email is being sent to recipients outside the company, said Mr. Latham.
Companies whose employees are phishing victims should contact the IRS and law enforcement themselves rather than relying on employees to do so, said Kathleen M. Nilles, a partner at Holland & Knight L.L.P. in Washington.
Firms also should quickly contact counsel to determine their notification obligations and whether they need to offer credit monitoring services, Ms. McLellan said.
Data breaches resulting from the theft of personally identifiable information would be covered under firms' cyber insurance policies, Mr. Beeson said. Such coverage also would pay an employer's defense costs and damages should an employee sue because their tax return was filed fraudulently.
Experts say employees should be suspicious of any of emails seeking personally identifiable information and confirm their veracity, either in person or by phone — but not by email.