|CEO Imposter Scam Hits Local Business
News Staff - February 3, 2017
UNDATED - Better Business Bureau (BBB) serving Nebraska, South Dakota, The Kansas Plans and Southwest Iowa has been notified that a local company’s controller was the victim of an email scam that used the CEO’s name to request that all employees’ W-2 Forms be sent to him for review.
According to the IRS, this W-2 scam first appeared last year. Cybercriminals tricked payroll and human resource officials into disclosing employee names, Social Security Numbers (SSNs) and income information. The thieves then attempted to file fraudulent tax returns for tax refunds.
This week, the IRS has already received new notifications that the email scam is making its way across the nation for a second time and is urging company payroll officials to double check any executive-level or unusual requests for lists of W-2 Forms or SSNs.
The scam is a variation of phishing emails known as “spoofing.” The schemers go to great lengths to spoof company emails or use social engineering to assume the identity of the CEO, a company attorney or trusted vendor. They research employees who manage money and use language specific to the company they are targeting.
Another version of this scam is targeting school districts. The scammers just change “CEO” to “Superintendent.”
Other business email scams instruct key employees to wire transfer large sums of money, on behalf of the CEO, to pay for equipment that the company has supposedly ordered or for some kind of highly confidential transactions.
According to BBB President and CEO Jim Hegarty, “Cybercriminals are using increasingly sophisticated tactics to steal the data that will allow them to impersonate taxpayers for the purpose of identity theft. Scam artists who commit tax refund fraud love W-2 information because it reveals everything needed to fraudulently file a person’s taxes and request a large tax refund in their name.”
BBB suggests the following to avoid becoming a victim of spoofed phishing emails:
- Pick up the phone and confirm that the request is legitimate. Use a phone number that you know to be correct (not a unrecognized number in an email).
- Examine the email address closely for slight variations such as an extra letter that are common in mimicked email addresses.
- If your email program allows it, tag the email as spam.
- Report the email to your Internet Service Provider, and notify your co-workers so others don’t fall for it.
- Notify your BBB at 800-649-6814 and report scams, schemes, con-games and rip-offs on BBB’s ScamTracker at bbb.org/scamtracker/.