The 3rd Perp in the W-2 Phishing Scam?

In systems theory, a useful tool is looking past the “presenting problem.” When it comes to the W-2 phishing scam, we find the typical explanation: Humans are the weakest link in cybersecurity. (Info Sec magazine* called this particular phishing scam an “epidemic” because more than 55 companies have been identified as victims and CSO magazine** reports it as more than 60 companies.)

The standard narrative is that one individual in finance or HR fell for a phishing email that looked like it was from his/her CEO. In the case of Alpha Payroll Services, reported in CSO magazine, the employee who complied with the fake CEO request was fired. “Alpha Payroll leadership promptly terminated the employee, hired experts to assist in the investigation and response, and has been in contact with law enforcement, including the Criminal Investigation Division of the IRS and the FBI, regarding the incident.”

What I haven’t heard once in the coverage is any acknowledgement of how truly insidious this phishing scam is: It’s the companies with decisive and commanding CEOs who are most likely to be victimized. The very attributes that make for a charismatic leader are the ones that have been exploited the most in this scam.

From a “presenting problem” view point, we have two perpetrators:

1. The cybercriminals who devised the scam and exploit reponses

2. Employees in HR and Finance who fall for the scam

But when we look past the presenting problem, we have a third actor:

3. CEOs who request reports and data expecting unquestioned obedience

In the cases that have been documented in the press, not one analyst or journalist has suggested that CEOs send emails to their entire company granting permission to challenge requests from the CEO. Instead, they  either talk about awareness training for all employees or the need for sophistical data loss prevention systems.

In most of the high-tech companies I’ve worked for, it was standard operating procedure to respond to any request from the CEO within 3 hours — even if the requests were sent at 11pm or 4am.

Security awareness training often starts with the instructor saying: “Don’t be the weakest link.” I think that is wise counsel to both rank-and-file employees and executives.


* http://www.infosecurity-magazine.com/news/55-companies-and-counting-fall-to/

** http://www.csoonline.com/article/3064675/security/alpha-payroll-fires-employee-victimized-by-w-2-phishing-scam.html

Rethinking “Date of Birth” to Verify Identity

Recently, I received a robocall purporting to be from a nationally recognized pharmacy chain. As part of the interaction, the computer-generated voice asked me to enter my date of birth.

Rule-of-thumb: If you haven’t signed up to receive robocalls from a company, hang up and dial the company in question yourself. It could be a scam*

It’s difficult to gauge the probability that the call really was from the national pharmacy chain. Regardless, it baffles me how anyone could think date of birth was useful in verifying identity. Date of birth is a very easy datum to obtain on most people.

Young-Frankenstein

There are many genealogy sites that aggregate public records such as birth and marriage records. The purpose of these ancestor look up sites may be perfectly wholesome and innocent, but that does not preclude nefarious use. Additionally, many counties publish their tax rolls online (including name, address, photos, mini-blueprint of your house, and assessed taxes).**


* The FTC website is a good source of information about defense against robocalls: https://www.consumer.ftc.gov/articles/0076-phone-scams#Robo

** This information has always been public, but before digitization, the process usually meant visiting a government building, going into the records basement, and pouring through analog paper records. The digital age has changed all that.