Spear-Phishing and W-2 Scams: How to Stay Protected


As originally published in the American City Business Journals.

“The most devastating attacks by the most sophisticated attackers almost always begins with the simple act of spear-phishing.”
– Jeh Johnson, former Secretary of Homeland Security

Phishing attacks are the definition of a tried-and-true cyberattack; they’ve been circulating for decades, and boy are they still good at bringing businesses to their knees.
What are they, and how can you avoid getting duped? Let’s talk about it.

Phishing vs Spear-Phishing

First, let’s work through what these clever little terms mean.
“Phishing” refers to someone trying to trick you into revealing sensitive information. It can take many forms: a bogus bank asking you to enter financial information on their (also bogus) website, or “Google” asking you to send over your account credentials for whatever legitimate-sounding reason.
“Spear-phishing,” as the metaphor would have it, is a far more targeted attack; where the phishers above are posing as a trustworthy entity, spear-phishers will pose as a trustworthy individual. These attacks often use email spoofing to mask unfamiliar email addresses with those that we’d recognize, like a friend, relative, or coworker. The scammers do their research, and they rely on exploiting your established relationships rather than playing a sheer numbers game with more generic attacks.
There’s also “whaling,” which describes attacks that target senior management specifically.
All of these variations are frighteningly effective when it comes to fooling even tech-savvy computers users; if you aren’t paying close, paranoid attention at all times, you too could easily make a devastating mistake.

New Call-to-action


Common Scams

I’ve talked before about fraudulent wire transfer requests, which are still costing businesses money left and right. A “CEO” will request an immediate transfer to a bank account, and well-intentioned CFOs will snap into action before they have the chance to realize that there was something just a little “off” about the email.
What’s gaining serious steam right now are W-2 scams (which sometimes come in addition to a transfer request); the IRS recently issued a warning to businesses that scammers are on the hunt for the tax documents that conveniently hold all the information required to steal someone’s identity.
Here, someone in your HR department might receive an email that appears to be from a company executive. They request a copy of each employee’s W-2, and, in many cases, the staff member will comply straightaway. So far, there are nearly 30,000 confirmed victims.  

How to protect your business

The more sophisticated these attacks get, the more difficult it is to identify them before it’s too late. The best ways to stay protected are:

  • Train your spam filter. Since many spoofed emails will appear to come directly from your organization, you can set your spam filter to block emails from your domain (@companyname.com) that are sent from outside your email system. This will catch some spear-phishing attempts before they make it to your inbox.
  • Keep your firewall updated. Sometimes scammers will get extra clever and try to bypass your spam filter altogether. This is where your firewall can step in to block the email.
  • Educate your staff. This is by far the most important, as neither precaution above is bulletproof. Every member of your team needs to know how to identify a suspicious email, and how to proceed once the flag is raised. Create and enforce policies around how funds and confidential information can be shared. There are also some social engineering tools that your IT provider may be able to set you up with; there are different platforms that will send faux-phishing emails out to your staff, see who bites, and take them through relevant training materials to correct the behavior.


New Call-to-action

Sure, this is all yet another thing to worry about when you’re onboarding new staff and crafting your IT policies; it’s easy to feel overwhelmed by all the threats running around on the World Wide Web.
But you can either worry about it now, or worry about working with law enforcement, lawyers, and insurance companies after a staff member accidentally exposes every single one of your employees.
Kind of a no-brainer, right?