Tuesday, 5 April 2016

Cyberthieves’ latest target: Your tax forms-By Robin Sidel


Companies are on the lookout for an email scam that can wreak havoc on employees’ lives for years.


Weight Watchers
(Photo by Tim Boyle/Getty Images)

An email scam targeting companies is putting huge amounts of individuals’ tax information into the hands of criminals, potentially wreaking havoc on the victims’ lives for years.
Coming at the height of tax season, when millions of workers are filing their federal and state returns, the “phishing” or “spoofing” scheme is simple and effective: The perpetrator, impersonating a company’s high-ranking executive from a phony email address that appears legitimate, fools staffers in the payroll or human-resources departments into forwarding W-2 forms or other tax information.
“It’s huge. It’s just huge,” said Dolores Furniss, manager of state and federal tax programs at the Utah State Tax Commission, which, like other state agencies, is scrambling to deal with the fallout. She said her office was notified on Thursday by a company that it was victimized, and within an hour she had fielded phone calls from 10 employees.
Scores of companies employing hundreds of thousands of workers have already disclosed that they have fallen victim to the scam. Weight Watchers International Inc. is one of the latest victims.
“In what has, unfortunately, become common, Weight Watchers was targeted by criminals using a phishing scam to obtain personal information about some current and former employees,” the company said in a statement over the weekend. The attackers received information about 434 former and current employees out of a current U.S. workforce of roughly 13,000.
Other victims include data-storage firm Seagate Technology PLC in Cupertino, Calif.; Billy Casper Golf, a golf-course company based in Reston, Va.; biotechnology company PerkinElmer Inc.; and Phoenix-based regional grocery chain Sprouts Farmers Market Inc.
Stolen information from these scams is being sold on underground websites and criminals are using the data to file fraudulent tax returns and collect the refunds, according to tax and cybersecurity experts. Even those employees who don’t have their identities stolen could face delays in getting their tax returns or other additional scrutiny, since tax departments will take extra measures to ensure the authenticity filings from employees of companies that experienced thefts.
The thefts are especially damaging since they often include Social Security numbers, which can’t easily be canceled and replaced like credit cards, meaning thieves can continue to try to use the stolen information for years, experts say.
“Kindly prepare the lists and email them to me asap,” read one such email, according to the Internal Revenue Service, which issued an alert about the scam last month.
An employee, thinking the request from a superior is authentic, then sends the W-2 data to the fake email address. An employee’s W-2 form includes a Social Security number, address, salary and other information that thieves could use for identity theft or to file fake tax returns.
Tax officials say thieves are targeting companies of all sizes; at least 50 have already reported that they were victims.
“We are definitely talking about many, many thousands of employees and I would have to think there are some companies that aren’t confessing to it,” said Verenda Smith, deputy director of the Federation of Tax Administrators, an organization of state tax officials.
A spokesman for Seagate said several thousand current and former employees were affected by the deceit, which the company discovered on March 1. “The information was sent by an employee who believed the phishing email was a legitimate internal company request,” the company said in a statement. Seagate is offering two years of credit monitoring to affected workers.
“We sincerely apologize for this situation and are working to enhance our controls and make additional investments in protocols, technology and training,” said Donna Egan, spokeswoman for Sprouts Farmers Market, which has more than 21,000 employees and 220 stores.
Representatives of PerkinElmer and Billy Casper Golf couldn’t be reached for comment.
The trouble comes as the IRS is still recovering from a 2015 attack in which hackers gained access to as many as 700,000 taxpayer accounts. The agency didn’t respond to a request for further comment on the scam.
The pervasiveness of the latest scam highlights how easily employees can unwittingly expose important data to criminals. Companies are increasingly warning employees about the risks associated with clicking on unfamiliar email links or responding to unusual requests that appear to come from co-workers.
In Georgia, tax authorities received a call on Wednesday from a company’s chief financial officer who said W-2 information for his 20 employees had been exposed in the email scam. State officials quickly discovered that false returns had already been filed for some of those employees, although refunds had been blocked because the filings seemed suspicious.
“We will continue to help those employees for years to come because once the identity is compromised, it is compromised forever,” said Josh Waites, director in the office of special investigations in the Georgia Department of Revenue.
Cybersecurity experts also say that the scam shows criminals are more often targeting specific employees who have valuable information rather than hacking into a computer network in a blind search for data.
“It’s one-stop shopping. It’s easy and is low-tech,” says Brian Lapidus, managing director in the identity-theft and breach-notification practice at Kroll Associates Inc. He says the investigations firm is receiving multiple calls daily from companies that have released W-2 information to criminals.
The scam is a twist on an increasingly popular cyberattack known as “business email compromise” in which criminals impersonate an executive in an email and ask a subordinate to wire money to a bank account. The funds are typically then quickly siphoned into an offshore bank account where they are difficult to retrieve.
The Federal Bureau of Investigation said last year that it has tracked more than 7,000 companies that have been victimized in such compromises since late 2013, resulting in more than $740 million in losses.
Culled from The Wall Street Journal

No comments:

Post a Comment