There’s no need to have all of your ducks in a row before beginning security awareness. A couple of years ago, I was in discussions with a workplace about cyber security awareness. The technology director was in the early stages of planning a comprehensive cyber security effort and wanted to hold off on implementing security awareness until he coordinated the overall effort with one vendor. I did not press the issue because my company specializes in one thing: security awareness, not the full suite of cyber security activities. Fast forward two years. This workplace fell victim to a W-2 phishing scam.

Maybe you’re not ready to reach out to stakeholders like HR or the administration about awareness and training for the entire staff. That’s OK. You don’t need to get their buy-in to do this: download our W-2 phishing scam flyer and send it to your HR/payroll department or anyone with access to employee W-2s. Better yet, record a quick video message to go along with it.

The W-2 phishing scam is effective and has duped MANY, MANY workplaces. View a list of them here. As of April 3rd, 140 workplaces have been victimized. Last year, the list featured on databreaches.net contained 175 casualties.

Here’s how the scam works. A scammer visits your public website and identifies the boss and a person in HR/payroll. They e-mail the HR/payroll person, posing as the boss.  It may be something as simple as “Are you in?” When the employee responds, the scammer follows up with another e-mail, this time urgently requesting all employee W-2s. (Between January and March is the prime time for this scam, as it is tax season in the U.S.) The employee, not realizing the request is from scammer123@notyourorg.com and NOT the boss, e-mails the information. Once the W-2s are sent, it’s done. Game over. The W-2s are not only in the hands of a criminal who can sell them and/or commit identity theft or tax refund fraud, they’ve also likely been sent unencrypted and can be seen by third-parties. You will find yourself having to respond with a data breach notification, public statements, and purchasing credit monitoring for affected employees. You may even have to make a claim with your cyber insurance.

The technology professional in me wonders if there are some affordable e-mail/firewall vendors who have a built-in DLP solution to capture and stop emails with W-2 attachments from leaving the organization. That’s one option to explore. In the meantime, go talk to these high-risk groups in your workplace. Let the boss know that e-mail is a means for scammers to target their employees and trick them into providing this valuable information. Encourage the boss to draw attention to it in a workplace newsletter or other communication channel. “I would never ask you for this information through e-mail.”

So again, security awareness can be a distinct, stand-alone activity within an overarching cyber security or data governance initiative. Don’t wait until it’s too late. Start now, start with high-risk groups. We have a free resource to help educate your staff on phishing scams.