In Wyoming, two health organizations fell victim to a W-2 phishing scam last month. At Campbell County Health, an employee clicked a link in an email that appeared to be sent by a hospital executive. End result: SSNs and W-2 information of 1,400 employees were disclosed. A similar breach occurred at eHealthInsurance when one of their employees sent W-2 information in response to a phishing email that he/she believed was sent from a company executive.
In Kansas, Sedgwick County lost $566,000 when a Georgia (U.S.) hacker sent an email to a county employee that appeared to be from the CEO of another company. The email included a form requesting payments be made electronically to a new account at a Wells Fargo Bank in Georgia. The payment was made.
In this particular case, the hacker was caught, and George S. James is now charged with one count of wire fraud. See https://www.justice.gov/usao-ks/pr/georgia-man-charged-cyber-crime-cost-sedgwick-county-566000.
The moral of the story: Things are not always as they seem.
It's called "CEO fraud" because typically the email address of the CEO is spoofed in the "From" line on an email that is delivered to an employee or other C-level executive of the company. Just because an email appears to come from someone you know doesn't mean it actually is.
The lesson here is that you should never send sensitive information like W-2s (or money!) based on an email you received. Always verify an email's origin before taking action. When it comes to sharing private or otherwise sensitive information, trust but verify.