Employees count on their employers to keep their private information safe. This is especially true during one of the most information-sensitive times of the year: tax season. For attackers who rely on social engineering tactics, targeting organizations right now can be a potential goldmine.

We’ve previously discussed how social engineering tries to trick members of your staff into giving out valuable information – oftentimes by posing as official sources who need the requested information now. This is a threat you should stay on high alert for year round, but recent news should have you more aware and wary of requests centered around employee tax information.

A Common Scam

A few high profile social engineering attacks have made the round recently, but let’s take a look at one notable example.

A medical organization in Gillette, Wyoming by the name of Campbell County Health released a statement announcing they were the victims of an attack. CEO Andy Fitzgerald stated, “Currently, it appears that an unauthorized individual, impersonating a CCH executive, contacted an employee requesting W-2 information for all of our employees who had taxable earnings in calendar year 2016. Unfortunately, before it was determined that the request was fraudulent, the employee provided these files.”

Familiar Pattern

We can tell this was a social engineering attack due to the tactics employed here. The attacker pretended to be someone else in a position of authority, putting the employee in a stressful position. Imagine you received a call from someone who, as far as you can tell, is a superior. They demand sensitive information be sent to an email address they give you. When you take the time to think it through, this scenario sets off plenty of alarm bells. But that’s the thing – there’s no time to analyze this request. There’s just a very understandable fear of wanting to keep your job.

This is the type of atmosphere social engineering attacks feed off of and how valuable information – like W-2 forms – can be willingly handed out to attackers. It’s not much of a leap to see how these forms could be incredibly harmful to employees as well; as they contain crucial information like employee names, addresses, wages and social security numbers.

When it comes to protecting yourself against these forms of attack, there are a few steps you should take right now. Train your employees on what is acceptable to give out and what needs to have further approval. Discuss with them that these attacks are happening and that they should be extremely wary of any out-of-the-blue request for information like this. BAI also offers a Social Engineering Evaluation which takes a deep look at your cybersecurity profile and tests every aspect of it.

Whichever method you choose to go with, be sure to protect your business and employees from these threats. These attackers prey on goodwill and ignorance; take steps to educate your staff and stop the attacks in their tracks.