The more things change, the more things stay the same, or so the adage goes. Yesterday —which was very fitting for Groundhog Day —the IRS released a warning concerning the reappearance of phishing scams targeting W-2 information.
A link to the IRS warning can be found here.
This is nothing new, of course, with the IRS having issued effectively the same form of warning around this time last year.
If anything, scammers are moving their efforts up on the calendar, getting an early start on the tax season and the associated rush in HR. (Last year’s IRS warning concerning these scams came on March 1, while scam activity prompted this years’ warning on February 2.)
The only twist to the scam this time around, according to the IRS, is that the scammers are now targeting schools, non-profits, restaurants, healthcare providers, and tribal organizations, to name a few. This is a common scenario in the world of cyber threats, as first-line scam victims harden their controls, but those that haven’t yet been targeted remain vulnerable.
Also, as the IRS notes, it is seeing the W-2 scam coupled with or followed by bogus requests for wire transfers, which nevertheless look legitimate. This too is common. Once an organization falls victim to an attack, it has a proverbial target on its back. Scammers and hackers will return to the cyber well as often as they can to squeeze every bit of information and treasure out of a victim before they move on.
A company’s best defense to this type of scam is awareness and empowerment. Everyone in an organization should be empowered to ask questions when a request for sensitive information looks suspicious. The phishing scammers prey not only upon an employee’s desire to be efficient and responsive, but also upon the all too prevalent mentality that security is someone else’s job. Changing that mindset can be a great protection against these types of attacks, and can be the most cost-efficient step an organization can take to increase its security posture generally.