Security Awareness Training Blog

    [ALERT] New Strain Of CEO Fraud: Urgent Request for W-2s

    This morning, our Controller received an email from "me", stating the following:

    Alanna 

    I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.
     
    Stu 
     
    Here is the screenshot how that looked. 
     
    Screen_Shot_2016-02-24_at_9.21.11_AM_1.png

    It just so happened that we have a new CFO so Alanna answered that she did not have access to that information anymore and that our new CFO could help me.  Our new CFO had just stepped through all our awareness training and smelled something phishy.  The two of them walked up to me and asked if I had requested a PDF with all W-2's. 

    Obviously I hadn't and congratulated them on a good catch. But imagine if we would have sent off those W-2's! It would have opened up our employees to identity theft because the W-2's have their full name, address, wages and social security number. 

    Analysis of the headers showed the hackers used someone's GoDaddy email server and the return address was definitely not me! However, it was a valid email address that the hackers were monitoring.  They answered and again impersonated me. Here is the screen shot:

    Screen_Shot_2016-02-24_at_10.47.52_AM.png

    Our phishing analysts started seeing this new attack arrive on Monday through the Phish Alert Button (PAB) submissions we get from our customers.

    The CFO-targeted phishes that we see through PAB submissions are almost all requested wire transfers. So, the W-2 request is a bit unusual, but the data can obviously be sold, used for identity theft and financial fraud, and mined for still more targeted phishing scams.

    W-2-themed phishes have recently become quite prevalent, and organizations have been warning employees about them. See: http://vtdigger.org/2016/01/23/state-workers-w-2-info-compromised-in-phishing-scam/


    But those phishes are targeted at regular employees and attempt to trick individual employees into coughing up personal info that can be exploited. The CFO-targeted phishes are a more efficient way to obtain the same data. Why bother sticking up individual victims on the street when you can simply rob the bank?

    I strongly suggest you warn your Accounting and HR teams that there is a new strain of CEO Fraud asking for W-2's.

    If you are a KnowBe4 customer, sending them this brand new template to inoculate them against this social engineering attack would be a really good idea.  You can find the template in Phishing -> Email Templates -> System Templates -> Business -> "Urgent Request". This template has a difficulty rating of 4 out of 5, and does not have a reply email address but a link to upload the PDF to.  Clicking the link presents the employee with the "oops" page.

    Let's stay safe out there.

     

    Topics: CEO Fraud

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe To Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews