Just when you thought it couldn’t get much worse in terms of IT security threats, cybercriminals are now using an insidious technique to gain access to sensitive personal information: Boss Phishing.
Phishing is a malicious attempt to obtain financial or confidential information from companies or individuals, typically by sending an email that appears to be from a legitimate source. The bad guys pose as trusted sources and try to “fish (phish)” for sensitive information from unsuspecting employees.
The latest clever development with the phishing technique is to use an email from a boss or other authority figure, such as a CEO or CFO, asking for the personal W-2 information for all the company’s employees. The email appears legitimate at first glance with the proper email address, name, and title, which lulls the employee into a false sense of security. Cybercriminals are able to find a goldmine of personal information about bosses, including titles and email addresses, on sites such as LinkedIn and social media sources, which makes the email message seem authentic. However, the email is actually being sent by a cybercriminal who has either spoofed or forged the boss’s email or has hacked into the email account and taken temporary control over it.
In recent months, scores of companies of all sizes have fallen victim to this well-devised scam. A sizeable percentage of employees responded to the apparent legitimacy of the email and its sense of urgency and quickly sent the requested information to what they thought were their bosses’ email addresses. The cybercriminals captured and distributed the massive amount of sensitive financial information throughout their underground network and it has been used in a variety of illegal schemes As a result, the considerable cost to companies and individuals has been many millions of dollars, lost jobs, and shaken nerves.
Simple steps to take to counter the Boss Phishing threat
There are some simple steps companies and individuals can take to counter this and other sophisticated cyberattacks.
- Carefully review any email request by checking for typos, awkward language, or any other characteristics that indicate it might not be from the purported sender. For example one of the most recent Boss Phishing email messages began with “Kindly send me the individual 2015 W-2 …” This polite, awkward phrasing sounds strange, but many employees still responded with the sensitive information.
- Never reply directly to a suspicious email, but create a new message and type in the official email address.
- Avoid clicking on any links in emails. Any of these links could send you to a site controlled by a cybercriminal or enable them to gain access to your network. If you want to explore a site, type in the website address in a new browser.
- Be particularly vigilant to any requests for sensitive information during tax time or other periods of high-stress for financial and accounting staff, when these employees may be more psychologically vulnerable to phishing scams.
- Company management needs to train staff on these and other simple and proven cybersecurity steps and should remind employees frequently to be aware of new scams.
- Management should announce the latest scams they learn about with detailed descriptions. They should also encourage employees to share any scamming attempts they encounter with the company.
- Most importantly, to be sure to avoid falling victim to this or any other phishing scam: employees should always verify any sensitive request personally with the boss or other authority figure through secure methods such as the telephone or a company inner-office chat system. This step will ensure that the request is legitimate and will overcome the situation where a cybercriminal has hacked into the boss’s email.
When in doubt, call your IT Support team
As a leading provider of IT Support in the greater DC area, Network Depot has encountered all types of determined efforts to breach our clients’ networks, and we are used to seeing cybercriminals continually adapt their methods. We’ll make sure to keep you briefed on the latest scams and will take all steps to keep your data safe.
For more information on cybersecurity and phishing, please look at these earlier blog posts:
For assistance with cybersecurity challenges and any other IT-related issues, please contact us here at Network Depot.