It seems that February was a busy month for scammers, who managed to trick a number of companies into coughing up confidential payroll information about their staff.
I’ve already described how workers at Snapchat and Seagate were duped into believing that they were helping out a senior member of their management team when they sent out IRS W-2 tax forms (which include such sensitive information as workers’ social security numbers, salaries, and addresses) to an attacker.
But now, as suspected, it has become clear from documents filed with the authorities that other companies fell foul of the same scam.
Corporate victims have included uniform rental service AmeriPride, IT firm Actifio, Billy Casper Golf, and media company Evening Post Industries – all of whom appear to have fallen for the same trick.
There’s an important lesson for companies and staff to learn here, as I explained in a recent YouTube video about the Snapchat breach: it’s okay to say no to your CEO.
If you haven’t run an awareness campaign to train your staff about the dangers of targeted phishing attacks, and just how easy it is for criminals to forge an email which appears to come from your CEO, then you are playing a dangerous game with your staff’s personal information.
The very real risk is that criminals will exploit the stolen information by creating online accounts with the IRS in order to fraudulently claim tax refunds.
Hat-tip: databreaches.net.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
