According to the IRS, phishers are trying to siphon W-2 data that can be used to file fraudulent taxpayer refund requests. In addition to the usual enterprises, they are also targeting school districts, healthcare organizations, chain restaurants, temporary staffing agencies, tribal organizations and nonprofits. But the phishers aren’t stopping there. The same criminals then try to steal from the victim organization’s bank accounts. The IRS said the cybercriminals often follow their sensitive information thievery with an email “from the CEO” to an employee in the accounting or finance department, requesting that a wire transfer be made to a certain account. Unbeknownst to the obliging employee, the account where the money was transferred belongs to the cybercriminal.
IRS Commissioner John Koskinen noted, “This is one of the most dangerous email phishing scams we’ve seen in a long time. Although not tax related, the wire transfer scam is being coupled with the W-2 scam email, and some companies have lost both employees’ W-2s and thousands of dollars.”
“Financial institutions are embracing the digital revolution to remain competitive and relevant. While digital channels provide tremendous growth opportunities for banks, it also presents new challenges in combatting a greater volume of sophisticated online attacks,” said Bryan Luke, chairman of ABA's Endorsed Solutions Banker Advisory Council.
Organizations, employees and individuals must begin applying a skeptical eye to all online communications - aware that every digital transaction may be compromised. In order to address this head on, business leaders must think about how to proactively defend against external threats with a multi-pronged approach.
Below are the core elements of that strategy. It consists of creating an environment where each threat is mitigated in almost real-time, limiting and reducing criminal gain. This approach creates an attack deterrence over time:
- Early phishing detection and takedown – widely monitor web, social media and email sources to detect newly configured phishing attacks before they are fully launched, and work with hosting providers and other third parties to take down those sites as quickly as possible.
- Domain and social media monitoring for impersonation - analyze social networks and domain registrations to find fake social profiles, malicious mentions and similar domains that impersonate your company and compromise customer information.
- Email fraud protection – improve visibility into who is sending emails across enterprises and move to implement a policy blocking emails sent from unauthorized sources.
- Rogue mobile application protection – monitor for and remove unauthorized applications imitating your apps in the Apple and Android stores, reducing the risk of customers downloading imposter apps.
All of these actions can be taken today, can be implemented quickly, and together can drastically reduce the risk of your organization becoming a victim of fraud from digital threats. Those organizations that take a proactive instead of reactive approach to this emerging problem will discourage fraudsters, who will move on to easier targets. Organizations who do not take proactive approaches will find themselves the unfortunate victims of tomorrow’s ever-more creative schemes.