Cyber Security Firm Hit by W-2 Phishing Scam

It’s no secret that as more and more of our lives take place online, we become more susceptible to online theft. It’s also no secret that laws and government protection haven’t done a great job keeping up with online threats — and that no one, not even the experts, are immune to cyber attacks.

That fact became painfully clear on March 16, when Defense Point Security announced that someone in their organization fell victim to a W-2 phishing scam.

“I want to alert you that a Defense Point Security (DPS) team member was the victim of a targeted spear phishing email that resulted in the external release of IRS W-2 Forms for individuals who DPS employed in 2016,” Kreb on Security reports that Defense Point CEO George McKenzie wrote in the email alert to employees. “Unfortunately, your W-2 was among those released outside of DPS.”

We wrote about W-2 phishing scams last month but here’s a quick recap:

Basically, a cyber criminal poses as someone within an organization (usually the boss or CEO) and sends an email asking for W-2 information. The requests are usually tagged as “time sensitive” or “urgent,” so that any good employee will respond ASAP. The FBI sent out a press release earlier this year, calling W-2 phishing schemes the “most dangerous” they’ve ever seen and warning that thieves were particularly targeting schools, non-profits, and tribal groups.

Which is why this news from Defense Point Security — which, by the way, provides cyber security to the federal government, including the U.S. Immigration and Customs Enforcement (ICE) Security Operations Center (SOC) — is particularly galling. If a company that specializes in internet security can fall victim to this type of fraud, what does that mean for everyone else?

One important thing to remember, however, is that W-2 phishing is a very human-centric form of attack. Instead of trying to crack the code of passwords or figuring out how to steal a massive database of sensitive information (both of which require serious technical chops), all the thieves have to do is determine the name and email address of a CEO, the email address of a likely target within the organization, and then how to create a fake email address to send the request from.. That’s it!

With the information gleaned from a successful W-2 phishing attack, criminals now have all the information needed to file a false tax report and receive a massive return. Security reports have found that W-2’s are even being sold on dark net sites.

People are socially engineered to respond quickly to bosses and to trust that any message coming through an internal email communication system is valid. Thieves who steal information via a W-2 phishing scheme (or any other spear phishing scheme) rely on those facts. All it takes is one employee responding to one email to put an entire company at risk.

Share this post

About Tenta

Tenta is a next generation browser designed for privacy and security. Built-in true VPN, full data encryption, video downloader, secure medai vault, HTTPS Everywhere, Tenta DNS, and more.

View all posts by Tenta >

Install Tenta Browser Free!

Start protecting your online privacy today with Tenta Browser.

Download Tenta Browser Google Play Button