Nearly a year ago, in February 2017, the IRS issued a warning regarding phishing attacks targeting a broad range of companies. The scam involves a hacker impersonating an employee of a company, usually the CEO, and sending an email asking for a list of employees and their W-2 forms. The hacker would then make fraudulent tax filings using the W-2 forms. The scam is similar to the traditional Business Email Compromise (BEC), which involves spoofing an employee account in order to direct wire transfers to fraudulent accounts.The scam was enormously successful. And while the IRS is taking steps to prevent the use of this information for tax fraud, companies that fall victim to these scams may still be liable under data breach laws and for other identity fraud that can be committed using this data.
Below are five questions in-house counsel should be asking their information security team to mitigate their company’s risk.
- Do we transmit employee HR information, particularly Social Security numbers and W-2 or similar tax forms, by email? Is it possible to limit the transmission to a more secure method, such as through a restricted access cloud account with limited permissions for access and downloading?
- If we do transmit these files by email, do we require them to be encrypted or password-protected? (And if so, how are these passwords created and shared?)
- Do we have a policy in place about who can access, request, or receive this information? Do we have a “whitelist” of people who should have access? And do we require phone or other confirmation before transmitting such information?
- Do we have logging in place for where we store this information that would allow us to determine if there has been unauthorized access?
- Have we done a search for similar domain names to ours that could be easily spoofed? (For example, if our domain is startup.com, do we also own stantup.com or slartup.com?) Are we aware of who owns addresses similar to ours?
Implementing just a few of these tools and policies can help reduce your company’s exposure to cybersecurity attacks.