Jump to Footer

Dangerous W-2 Spear Phishing Scam Alert



February 23, 2017

The Internal Revenue Service recently issued a public service announcement warning of a spear phishing scam that is making the rounds to various organizations.  Be on alert! This tax-season-themed threat is particularly dangerous.

Spear phishing attacks are emails that appear to be from known or trusted senders. They are cleverly designed to trick recipients into replying with sensitive information.

This particular scam email is disguised to look as though it’s coming from a campus executive, and is sent to an employee in payroll or human resources. It requests a list of employees and their W-2 forms on file. If the employee returns this information, the cyber-criminals are able to use it to perpetrate identity theft or tax fraud schemes.

A concern for us all

While this latest scam alert is important for staff in our payroll and human resources departments, it’s also relevant to everyone who uses email. That’s because it illustrates how scams focus on people occupying specific roles.

The next spear phishing attack will target someone else, so we should all be aware of how to defeat it should we be the next recipient.

Here are some effective ways that we can protect ourselves from phishing attacks:

  • Don’t open unsolicited email messages or web links from unknown senders. On the Internet, anyone can send anyone else an email, and as with all things related to digital communications, distance is irrelevant. Any time you are reading email, you should be as alert as you would be while walking through an unfamiliar neighborhood at night.
  • Never send sensitive information in an email.  Email messages are sent across the Internet unencrypted, so they can be read at any point along the way. If you wouldn’t put it on a postcard, don’t put it in an email.
  • Before submitting sensitive information in a web form, check that the connection is secure.  It should be using the HTTPS protocol and present a valid certificate. Pay close attention to the domain name in the address bar.
  • Call the company to confirm whenever you’re not sure whether the message is legitimate.
  • Type the address of your bank into your browser and log in directly, rather than following links sent to you. Avoid cutting and pasting links from an email message into a new browser window. Many people think that this technique will help them determine whether a website is legitimate; however, phishers can make links appear as if they go to a legitimate site while sending you to another website that they control.
  • Never click links within emails that ask for personal or financial information.  Hackers can retrieve information from your computer in various ways, including accessing stored information and monitoring keystrokes.
  • Never call unfamiliar company phone numbers listed in an email. A common scam asks you to call the phone number listed in the email to update your account information.  Sophisticated technology can mask an area code and pert the call to anywhere.
  • Be wary of emails that seem urgent. Phishing emails often state that “immediate action is required” in order to tempt you to respond without thinking;
  • Pay close attention to the web address if you choose to access a company’s website through an email link. Some phishers register domain names that look similar to the legitimate domain name of a company. If there is any doubt, open a new browser window and type the web address yourself.

As always, if you have concerns or questions about emails that you receive, call our Helpdesk number at 564-4433 for assistance.

Stay up to date with the latest info on this and related topics on our LITS Information Security web page.

Back to top