- BLOG -


501 Boylston Street, 10th Floor

Boston, MA 02116




Privacy Alert: Latest Phishing Scheme Targets W-2s

Posted by Christine Zebrowski on April 26, 2016 at 1:51 PM
Find me on:

iStock_000026399529_Small.jpgA new “spear-phishing” scheme is active that targets employees, including Chief Executive Officers (CEOs) and Chief Financial Officers (CFOs), in an attempt to obtain employee personal information and other data.

In a recent case involving a medium-sized company with offices in several states, hackers used a system that mimics employer email addresses to obtain employee W-2s, birth dates, and other information. Specifically, two email requests for 2015 W-2s and employee names and birth dates, which appeared to be from the CEO, were received by a company's Human Resources department. HR complied with the fake email request and personal information of the entire 2015 workforce was inadvertently disclosed. The company had experienced a prior attempt when HR received a strange email from the CEO’s email address, which HR disregarded as a mistake. The successful attempt followed about a week later. Several employees in the affected company discovered misuse of their information following the breach, including falsely filed tax returns.

W-2s contain sensitive personal information such as Social Security numbers and full names and addresses, which can be sold or used for identity theft and financial fraud.  The W-2’s in particular give an identity thief almost everything needed to commit tax fraud.

The ease with which the hackers obtained the information is a reminder to all businesses to review their internal data privacy practices and implement reasonable safeguards. Companies can reduce the risk of this latest scam by encrypting all personal information before it is transmitted electronically and by training employees, particularly Human Resources and other employees with access to personal information, that any email request for personal information be followed up in person or by phone to confirm the request was legitimate before sending any personal information.  

In the event of a breach, companies should seek legal counsel immediately to develop a breach response plan. State law governs the contents and timing of breach disclosure notices to affected individuals, and notification to state authorities may also be required.

For more information, please contact Christine Zebrowski at czebrowski@outsidegc.com or (202) 425-6711.


Topics: Data Privacy, Employment

Subscribe to our Blog

Popular Posts

Outside GC is an innovative approach to legal services for growing and mature businesses. Companies who engage Outside GC fall into two main categories: (1) those without in-house counsel who need regular, on-going legal support but do not wish to hire a full-time in-house lawyer, and (2) those with in-house counsel who do not wish to add more full-time resources to their existing in-house staff. Contact us to speak to one of our on-demand attorneys.