Cybersecurity - Five Tips to Avoid Being "Harpooned” This Tax Season

By Katherine Keefe

Hackers are increasingly using social engineering scams to impersonate top executives and request transfers of funds or confidential employee information such as W-2 tax form information. The abundance of information available online and through social media makes it easier than ever for hackers to collect personal information on executives and employees and use it to convincingly perpetrate this fraud. These kinds of attacks have cost businesses over $2.3 billion since 2014, according to the FBI. The IRS this month issued a warning to be on the lookout for more of these hacking attempts in the current tax season.

Hackers are on the grab right now for W-2s, social security numbers and other personal information in order to perpetrate tax fraud,
— Katherine Keefe

Here’s how a typical harpooning attack works:  a lower level finance or HR employee receives an urgent email that appears to be from the company's CEO asking for employee W-2 tax information immediately.  The CEO says they are on vacation in the Bahamas (information easily gleaned from social media) and the employee, wanting to satisfy the boss, sends the employee W-2 but later learns that the request came from a hacker and the company’s employee information has been compromised.

Hackers are using available public information from company websites, social networks and other sources to effectively impersonate executives and target lower level employees in their organization. Beazley, a provider of data breach response insurance, offers these tips to help businesses protect against harpooning attacks:

1. Trust, but verify - Any unusual requests to send funds or employee information should be confirmed through an alternate communication channel. Criminals can spoof an executive's email address, and even their typical phrasing and communication patterns to bypass spam filters. Employees receiving unusual requests from executives, vendors or business partners should always follow up with a phone call to confirm. If it's that important, they will be sure to pick up the phone.

2.Check your website - Corporate websites often include contact information for top executives and customer-facing personnel, but too much contact information can help scammers target weak links. Conduct a website audit to ensure contact details for lower level employees, especially those in finance, are not available publicly. This can be a big help to thieves trying to target the employees most likely to have wire transfer capabilities.

3. Watch out for "Out of Band" requests for W-2s - Requests for employee tax information from hackers are a growing threat. These harpooning attempts are the easiest to prevent. An "out of band" request is a request outside of the typical chain of command. There are very few legitimate circumstances when a CEO, CFO or other top executive would request employee W-2 information from a junior employee.

4. Be aware of urgency - Scammers are likely to send requests conveying a great sense of urgency, hoping that an unsuspecting employee will send now, think later. The scammers will make the employee believe they will be reprimanded by a high level executive or headquarters if they do not act on the request immediately. Senior leadership should reinforce the importance of taking the necessary precautions to safeguard employee information and the company itself.

5. Don't enable "social sleuthing" - Some scammers will take advantage of executives who publicly post about their vacations or travel plans on social media, and then prey on lower-level employees by sending an email requesting highly sensitive employee information or a wire transfer to a third-party on their behalf. As a best practice, employees of all levels should be careful what they make public on social media.

These prevention steps are not difficult to implement, but they do require awareness and vigilance at all levels of an organization. In the case of harpooning for tax information, an ounce of prevention is certainly better than the pound of cure.
— Katherine Keefe

About Katherine Keefe

Katherine Keefe leads Beazley Breach Response Services(BBR Services). As head of BBR Services, Katherine directs the management of breach incidents reported by Beazley BBR policyholders and develops Beazley’s risk management services designed to minimize the frequency and severity of data breaches.

More About Katherine