The 3rd Perp in the W-2 Phishing Scam?

In systems theory, a useful tool is looking past the “presenting problem.” When it comes to the W-2 phishing scam, we find the typical explanation: Humans are the weakest link in cybersecurity. (Info Sec magazine* called this particular phishing scam an “epidemic” because more than 55 companies have been identified as victims and CSO magazine** reports it as more than 60 companies.)

The standard narrative is that one individual in finance or HR fell for a phishing email that looked like it was from his/her CEO. In the case of Alpha Payroll Services, reported in CSO magazine, the employee who complied with the fake CEO request was fired. “Alpha Payroll leadership promptly terminated the employee, hired experts to assist in the investigation and response, and has been in contact with law enforcement, including the Criminal Investigation Division of the IRS and the FBI, regarding the incident.”

What I haven’t heard once in the coverage is any acknowledgement of how truly insidious this phishing scam is: It’s the companies with decisive and commanding CEOs who are most likely to be victimized. The very attributes that make for a charismatic leader are the ones that have been exploited the most in this scam.

From a “presenting problem” view point, we have two perpetrators:

1. The cybercriminals who devised the scam and exploit reponses

2. Employees in HR and Finance who fall for the scam

But when we look past the presenting problem, we have a third actor:

3. CEOs who request reports and data expecting unquestioned obedience

In the cases that have been documented in the press, not one analyst or journalist has suggested that CEOs send emails to their entire company granting permission to challenge requests from the CEO. Instead, they  either talk about awareness training for all employees or the need for sophistical data loss prevention systems.

In most of the high-tech companies I’ve worked for, it was standard operating procedure to respond to any request from the CEO within 3 hours — even if the requests were sent at 11pm or 4am.

Security awareness training often starts with the instructor saying: “Don’t be the weakest link.” I think that is wise counsel to both rank-and-file employees and executives.


* http://www.infosecurity-magazine.com/news/55-companies-and-counting-fall-to/

** http://www.csoonline.com/article/3064675/security/alpha-payroll-fires-employee-victimized-by-w-2-phishing-scam.html