How to Detect & Prevent Payroll Phishing Attacks

Tax season is always the favorite time of the year for adversaries aiming to gain access to payroll data, but this year phishing schemes have surfaced earlier and in greater quantity than usual. A couple of months ago, the personal and financial information of the city of Batavia’s personnel was compromised due to email phishing of W-2 tax forms. The information included social security numbers, addresses, earnings, and names of several hundred councilmen, staffers, and others who had received W-2 forms from the city of Batavia.

The threat actors are conducting extensive due diligence on the social engineering aspect, which is enabling them to identify school executives, HR professionals or others in a role of authority. Utilizing a technique known as BEC (business email compromise), adversaries are effectively spoofing the senders’ accounts. Both the “FROM” and “TO” fields contain legitimate email addresses, and unsuspecting personnel rely on the accuracy of the sender’s email address to share the requested information. The information is transferred to a hidden email address managed by the adversary.

An enterprise victimized by a payroll phishing scam can experience a long list of negative consequences, including significant imputed and out-of-pocket costs from obeying mandatory breach notification laws; distracted, anxious and furious employees; and class action litigation in some cases.

Successful phishing schemes result in adversaries obtaining troves of sensitive data including social security numbers, addresses, salaries, date of birth, employer information, as well as names required for tax filings. Cybercriminals will use their newfound “assets” to file and process fake tax returns (Form 1040) which create illegitimate refunds or sell sensitive information to identity thieves through the black market.

Notably, the emails aren’t limited to requesting W-2 information. According to the IRS, they can request wire transfers in addition to payroll-related forms and even target district (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Dan Virgillito. Read the original post at: