SAN FRANCISCO — Cyber experts at this week’s RSA security conference are warning consumers to take steps to prevent hackers from stealing their W-2 forms and other sensitive tax documents.
The warning follows several incidents in which hackers sent company officials what appeared to be legitimate requests for copies of their workers’ W-2s. Renovate America, a solar financing company in Rancho Bernardo, inadvertently gave a hacker sensitive tax information for about 800 current and former employees.
Such “phishing” attacks are increasing — and can be avoided, said Kevin O’Brien, chief executive of GreatHorn, a Boston-based security company.
O’Brien discussed the problem and what to do about it during an interview with The San Diego Union-Tribune.
Q: Traditionally, Americans have received their W-2 forms via “snail mail.” Do they also have the option to get them electronically? How are hackers getting involved in this aspect of our lives?
A: Most companies today have digitized their tax forms. Organizations, for the sake of efficiency, often default to sending electronic copies of W2s, even when they also send paper copies in the mail.
What’s more concerning here is that these documents are almost always stored in digital form by the companies themselves. That makes these files a ripe target for attackers, because there are multiple people who can access, share and ultimately breach employee data over any number of channels because of this electronic storage.
Q: Is this emerging as a significant problem?
A:The Internal Revenue Service published a warning last year on this, and re-flagged it as being more sophisticated earlier this month. The W-2 scam is a highly effective way that ordinary Americans are seeing their most sensitive data lost to attackers.
If you read the IRS’ advice, it’s largely about what to do when a business user recognizes one of these attacks. Sadly, relying on folks who are just doing their jobs — and who are likely under pressure as tax season rolls around — to somehow identify sophisticated spoofing attacks and then flag them is a fool’s errand.
The reality is that even with strong, foundational security in place, nearly 1 percent of all emails that get around existing security tools businesses invest in have indicators of fraud within them. That sounds small until you realize that by the end of this year, over 132 billion emails will be sent every single day. That’s a lot of malicious messages that could trick someone into giving up your family’s most private data.
The key problem here is “cognitive load,” which refers to the total amount of mental energy that someone can expend. If you take the typical HR or finance professional, heads-down on getting all of the end-of-year financial data required assembled prior to sending out staff W2s, you’ll see that they have a very high overall mental load going on.
There’s a limit to how much anyone can hold in working memory at any given time, which is why even with training on these types of threats, attackers who understand social engineering and psychology can still trick companies into giving up W2s and other sensitive data.
Q: What is the most common mistake people make that exposes their information to hackers?
A: The most common mistake we see is in thinking along the lines of, “Oh, we can just tell people to be careful!”
The challenge is that many people underestimate cyber criminals. These aren’t kids living in their parents’ basements any longer. While there was a time when that may have been a (semi-) accurate portrayal of the state of cyber crimes, today’s hackers are most commonly either career cyber criminals backed by international crime syndicates or foreign nation states and military groups.
So long as we think of cyber crime as being somehow less of a threat than it is, we’ll make poor decisions about how to respond.
Q: What are best ways to prevent hackers from getting people’s tax details?
A:There are steps that can be taken to minimize the kinds of threats described above — simple things like automatic warnings that flag that a message is a fraud, for example. … The essential step here is in being willing to spend the time, money and effort to go beyond simple feel-good actions and dedicate risk-appropriate resources to solving this problem.
W-2 scams can be stopped. It requires dedicated technology and a keen understanding of just how hard it is to rely on intuition when it comes to spotting and safeguarding threats to sensitive data — relying on old-school network-based tools to scan email or worse yet, training programs that are proven time and again to be ineffective.
As private citizens, we need to learn to demand that our employers take appropriate measures to safeguard this information. Ask your company how it’s responding to the IRS’ warnings; don’t accept brush-off answers or the fallacious “it won’t happen to us” reasoning that so many organizations fall victim to.
Statistically, 91 percent of all data breaches begin with a simple phishing attack. If your company can’t point to specific and measured defenses against these types of threats, your tax information has a bright target painted on it for cyber criminals.
According to a lawsuit filed by the FTC and the New Jersey attorney general’s office, Vizio was capturing “second-by-second information” about what people viewed and selling it to companies that do targeted advertising. (Feb. 7, 2017)
According to a lawsuit filed by the FTC and the New Jersey attorney general’s office, Vizio was capturing “second-by-second information” about what people viewed and selling it to companies that do targeted advertising. (Feb. 7, 2017)
A tricky-to-spot phishing scheme targeting Gmail users is fooling even seasoned security experts.
A tricky-to-spot phishing scheme targeting Gmail users is fooling even seasoned security experts.
Twitter: @grobbins
gary.robbins@sduniontribune.com
Our editors found this article on this site using Google and regenerated it for our readers.
