It looks innocent. An email from the boss asking for the latest report of W-2s, or maybe a roster of email addresses, home addresses or Social Security numbers of all the employees at your company. Oh, and please send as an attached PDF. While the request may seem a bit strange, who are you to question it? The logo looks correct, the boss’s name is spelled correctly, and you’ve got a lot to do. So, you gather up the information and send it off.
There’s only one problem. The email didn’t come from your boss; you’ve been whaled. A hacker somehow snuck into the company email server, nabbed the boss’s email address, formatted the email to look like it came from the inside of the company, and sent it to you so the hacker could commit identity theft of every employee at your company.
This phishing scheme involving W-2s, known as whaling, isn’t exactly a new trick. But it can seem brand new to someone who has never experienced it, or is new to the company. This time of year, tax return fraud is a huge operation for criminal activity. In fact, it may be at a higher risk this year because of last year’s Equifax breach. The FBI just noted an increase of W-2 phishing campaigns of businesses.
Here’s what you need to look for as a business owner or if you’re in charge of sensitive employee data:
Read the email carefully. Does it use the same language your boss would use? Here’s an example of the kind of wording the IRS sees frequently: “Kindly send me the individual 2017 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
Hover over the email address and see where the email was actually sent. If it registers somewhere outside of the company, chances are it’s not from your boss.
Ask questions. Pick up the phone or go to the office and confirm the request with someone from the boss’s office.
Don’t hit reply or click on any attachments in the email, as this might launch a malware or virus into your company’s system.
Whether small, medium or large, your business could be the target of a whaling scam. Don’t get hooked – report it to BBB’s Scamtracker.
Sandra Guile is a Better Business Bureau community outreach specialist. She can be reached at 513-639-9126 or firstname.lastname@example.org