Image
"On or about March 1 or 2, an Alpha Payroll employee responded to a 'phishing' scam email in which the sender represented him self or herself to be the CEO of Alpha Payroll and disguised his or her email address as that of the CEO. In this email, the fraudster requested copies of all the 2015 W-2 forms produced by Alpha Payroll on behalf of its customers. As a result of hidden commands embedded within the email by the sender, upon responding to the email, the reply message was rerouted and sent to the email account of the third-party sender."CEO fraud involving W-2 data is just one of the scams the IRS has detected this tax season. Back in March, an employee of an Arizona-based supermarket chain also fell for a W-2 phishing scam that might have compromised the sensitive personal information of 21,000 employees. No mention of punitive action against the employee was made, however. The same cannot be said for Alpha Payroll.
Image
"If you fire every employee who clicks a Phish you will soon have no employees," commented Cris Thomas, security expert and Strategist at Tenable, as quoted by Salted Hash. "While anti-Phishing training may reduce the number of incidents, it will never be 100-percent effective. It only takes one person to click, even by mistake. You need to assume that a Phish will succeed, that bad guys will get in. It's what you do after the attack that matters."Salted Hash goes on to note there is some evidence indicating that Alpha Payroll might have an internal policy barring employees from sharing W-2 data. Clarification from the head of Alpha Payroll is at this time still pending.