Thursday, May 5, 2016

Thousands of taxpayers affected by W-2 Phishing attacks this year

May 2, 2016

Thousands of taxpayers have been impacted by a wave of Phishing attacks targeting W-2 records, with more than sixty organizations reporting such incidents in the first half of the year.

By taking advantage of the trust relationships that exist within a given company; these attacks have resulted in at least $2.3 billion in losses over the last three years.

Business Email Compromise / Correspondence attacks (BEC attacks) aren't overly clever, but they're effective. A person with authority is impersonated, and a lower-level staffer is asked to share W-2 records or related payroll information. That's all there is to it.

Because the request looks and feels legitimate, the employee usually complies, but there have been a few cases where the scam was flagged before any damage could be done.

Last month, Jonathan Sander, vice president at Lieberman Software, remarked to Salted Hash that the common theme in each successful attack is also the reason why the success rate should be zero.
"The employee shouldn’t have been able to access that much data without some sort of oversight kicking in. The fact that a single employee, for any reason, could grab so much data and simply send it to anyone, regardless of who they think that person is, is a scary prospect when you stop to think about it. Of course, you can also ask why an employee would be fooled into thinking that an executive would be making such a sweeping request," Sander said.

In the first quarter of 2016, at least 41 organizations were victimized by BEC attacks, but that number is closer to 70 when additional disclosures are counted. Some organizations were successfully hit earlier in the year, but only just recently discovered the problem, delaying notification.

On April 25, GoldKey | PHR, a hotel management company that controls a large part of the rooms on Virginia Beach,disclosed that W-2 information was compromised on February 29, but this fact wasn't discovered until April 3. The cause of the breach was listed as a "criminal Phishing email" and impacted at least 3,000 people.

Also on April 25, NetBrain Technologies Inc., a network visualization firm based in Burlington, Massachusetts, said someone posed as a company executive and requested 2015 W-2 data on March 3. The documents were delivered as asked, impacting all employees.

On April 12, the Girl Scouts of Gulfcoast Florida disclosed that on March 17, someone impersonated the author of the notice itself, Betsy Laughlin, the Director of Finance, and requested 2015 W-2 records. Because the request was spoofed to appear as if she sent it, the employee who received it didn't hesitate.

On April 26, Michels Corporation, a contractor based in Brownsville, Wisconsin, disclosed that a company executive was impersonated by a scammer, requesting 2015 W-2 records. The incident occurred on April 16, and impacted more than 5,000 current and former employees.

With a low barrier of entry to launch such a campaign, and an even lower overhead, criminals show no signs of slowing when it comes to targeting W-2 information. Even if the stolen data isn't used immediately, it can be compiled and sold for a number of different uses.

"If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees," IRS Commissioner John Koskinen said in a statement issued earlier this year with a memo warning about the rise in BEC attacks.

Many of the firms that have disclosed these incidents report that employees have detected tax fraud, which seems to be the ultimate goal in these attacks. Since 2015, the FBI says there has been a 270-percent increase in the number of identified victims and exposed losses.

Article by Steve Ragan, Senior Staff Writer, CSO

Tuesday, May 3, 2016

Payment via iTunes? Red flag it’s a scam

Millions of consumers use iTunes to purchase and listen to their favorite music. Unfortunately, scammers are always on the lookout for new ways to get paid for their swindles, and some have latched on to the popular music service as a new way of bilking consumers. No, they’re not looking for the new Adele album. Instead, they’re focused on the iTunes gift cards that are sold by retailers across the country.

NCL has recently received an increasing number of complaints from consumers who report that they’ve lost money after a fraudster asked them for payment via an iTunes gift card as a part of a scam. We’ve seen this happen in the context of fake online loans (where the consumer is instructed to pay for "application and processing fees," for example) and bogus car buying (e.g., cheap car advertised online, payment requested for "insurance" or "shipping".) We’ve also seen reports of scammers demanding payment via iTunes gift cards in fake debt scams and impersonator scams (also known as “grandparent” scams.)

Here’s how the scam works: First, the scammer instructs the consumer to go to a retailer (such as a grocery or drugstore) and purchase and load an iTunes gift card with hundreds of dollars. The scammer then instructs the consumer to provide the 16-digit code on the back of the card (after the buyer scratches or peels off the label) to the scammer via email or text message. Once this is done, the funds on the card are quickly depleted by the scammer and the consumer victim is left with a worthless piece of plastic. The scammer may ask for additional funds (again, paid for via iTunes gift card) for other bogus “fees.” This often continues until the victim catches on and refuses further payment.

A complaint we received recently from a consumer in California is typical of the scam:

“I saw an ad for a 2008 Honda Civic LX for $2,500. For such a price, I was interested so I contacted the seller through the website. She responded the next day and said I would be able to pay her through a third party. I ended up receiving an email which I thought was from Apple Pay. It seemed legitimate so I followed the instructions on the invoice, bought $2,500 worth of iTunes cards and sent an email with the cards and the receipts. I thought it was proof of purchase and I got a confirmation email, so I thought everything was alright. Then a day later I got an email asking for $1,000 for insurance purposes and the same method of payment so I sent it over. When I did not get a confirmation email I got concerned and emailed the owner and she said the car was being shipped. After that, I didn't hear anything more.”

There’s a thriving black market for stolen iTunes gift codes sold at steep discounts. This enables scammers to turn those stolen codes into cash before the victim catches on. Here are some tips to help you spot these scams and avoid getting added to a scammer’s playlist:
  1. If you are asked to pay for a product or service via an iTunes gift card (even if it’s associated with another Apple payment product like Apple Pay) it’s a scam.
  2. Do not give out the code on the back of an iTunes gift card to anyone. This code is all that’s needed to drain the card of all its value.
  3. If you want to send an iTunes gift to someone, the safest way to do it is via the iTunes app (on iOS devices like iPhones or iPads) or the iTunes desktop program. Instructions on sending iTunes gifts are available here.
  4. If you’ve already purchased the card and provided the code to someone you think is a scammer, contact Apple immediately via to see if they can cancel the card before funds get depleted.
Have you been a victim of an iTunes gift card scammer? We want to know! You can file a complaint at via our secure online complaint form. We’ll share your complaint with our network of more than 90 law enforcement and consumer protection agency partners who can and do put fraudsters behind bars.

Thursday, April 28, 2016

Shred Event TODAY!

Did you know...
There's a 1-in-33 chance you'll have your identity stolen in the next year.

Shred Event
Thursday April 28 - TODAY!
1:00pm - 3:00pm
Main Circle Drive by the Launer breezeway

Tuesday, April 26, 2016

This week for our Tech Tip Tuesday, we're focusing on making sure you're secure!

Check it out here.

Thursday, April 21, 2016

Tech Trivia Thursday

#TechTriviaThursday is in honor of our shred event again, coming up on the 28th NEXT WEEK!

Did you know...
It only takes one or two pieces of personal information from your trash for a thief to steal your identity.

Make sure and get our shred event on your calendar!
Shred Event
Thursday April 28
Main Circle Drive

Wednesday, April 20, 2016

What to shred?

Last week we gave you reasons why you should shred, now here's a list of what you should shred. And don't forget to get the shred event on your calendar, it's next week! 

What to shred?
  • Anything that has a signature, account number, social security number, or medical or legal information.
  • Address labels from junk mail and magazines
  • ATM receipts, Bank statements
  • Birth certificate copies
  • Canceled and voided checks
  • Credit and charge card bills, carbon copies, summaries and receipts
  • Credit reports and histories
  • Documents containing maiden name
  • (used by credit card companies for security reasons)
  • Documents containing name, address, phone or e-mail address
  • Documents relating to investments
  • Documents containing passwords or PIN numbers
  • Driver's licenses or items with a driver's license number
  • Employment records
  • Employee pay stubs
  • Expired passports and visas
  • Unlaminated identification cards
  • (college IDs, state IDs, employee ID badges, military IDs)
  • Legal documents
  • Investment, stock and property transactions
  • Items with a signature
  • (leases, contracts, letters)
  • Luggage tags
  • Medical and dental records
  • Papers with a Social Security number
  • Pre-approved credit card applications
  • Receipts with checking account numbers
  • Report cards
  • Resum├ęs or curriculum vitae
  • Tax forms
  • Transcripts
  • Travel itineraries
  • Used airline tickets
  • Utility bills (telephone, gas, electric, water, cable TV, Internet)

Friday, April 15, 2016

Did you miss our Cloud Security Training this past week?

You can find the slides on the Documentation Page of our Tech Training site under Security Awareness > Cloud Security Training.

 Or click here to view the PDF directly.