In Wyoming, two health
organizations fell victim to a W-2 phishing scam last month. At
Campbell County Health, an employee clicked a link in an email that appeared to
be sent by a hospital executive. End result: SSNs and W-2 information of 1,400
employees were disclosed. A similar
breach occurred at eHealthInsurance when one of their employees sent
W-2 information in response to a phishing email that he/she believed was sent
from a company executive.
In
Kansas, Sedgwick County lost $566,000 when a Georgia (U.S.) hacker sent
an email to a county employee that appeared to be from the CEO of another
company. The email included a form requesting payments be made electronically
to a new account at a Wells Fargo Bank in Georgia. The payment was made.
In this particular case, the hacker was caught, and George
S. James is now charged with one count of wire
fraud. See https://www.justice.gov/usao-ks/pr/georgia-man-charged-cyber-crime-cost-sedgwick-county-566000.
The moral
of the story: Things are not always as they seem.
It's called "CEO fraud" because typically the email address of the CEO is spoofed in the "From" line on an email that is delivered to an employee or other C-level executive of the company. Just because an email appears to come from someone you know doesn't mean it actually is.
The lesson here is that you should never send sensitive
information like W-2s (or money!) based on an email you received. Always verify
an email's origin before taking action. When it comes to sharing private or otherwise sensitive information, trust but verify.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.