Seagate Employees Face Possible Tax Fraud in Recent Phishing Attack
In a statement made by Seagate spokesperson Eric DeRitis to Brian Krebs of krebsonsecurity, it was confirmed that storage device manufacturer company Seagate was targeted by a phishing attack that allowed attackers to steal employee income tax information. The attack came in the form of a typical phishing scam: a Seagate employee received what appeared to be an email from Seagate CEO Stephen Luczo requesting for the 2015 W-2 data of current and former Seagate employees. The request was believed to be legitimate, resulting in the theft of personal data of several thousand employees.
Seagate is the latest organization to fall victim to a high-impact phishing attack. Less than a week ago, employees of the photo- and video-sharing messaging app Snapchat also fell for a similar scam. Three days ago, Mansueto Ventures, the publisher of Inc. and Fast Company magazines, also fell for the same scheme, which caused the exposure of employee information that included wage information and social security numbers.
[Read: How Snapchat responded when employees fell for a phishing scam]
Tax season in the US and other countries has begun, and it's typical for enterprising criminals to use these schemes to victimize not just individuals, but organizations as well. According to Krebs, W-2 data, which was stolen from the Seagate incident, contain virtually all the information one needs to perform tax refund fraud. Last year alone, W-2 information of over 300,000 victims was successfully stolen off the Internal Revenue Services (IRS) website.
With these types of phishing attacks, along with the prevalence of Business Email Compromise (BEC) scams, companies should be more security-conscious– treating security as something taken up for prevention rather than a cure (i.e. after the security incident has happened).
[Read: A profile of IRS scammers behind tax fraud]
The storage giant has already notified affected employees of the incident and afforded membership to credit monitoring services. However, the bigger issue remains that an attack such as this will continue to catch employees and individuals off guard.
A deeper security mindset should be forged, while sufficient knowledge of social engineering lures, and its repercussions to individuals and companies, should be strengthened. Employee awareness of practices and measures involving various attack tactics used to scam individuals or, in this case, employees, should be implemented. BEC schemes, as seen in recent events, continue to plague companies with age-old techniques that turn employees into easy accomplices. That said, a dialogue with the workforce on verifying email messages and its sources should be intensified.
[More: How BEC schemes work, and why they're effective]
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: TargetCompany
- Email Threat Landscape Report: Cybercriminal Tactics, Techniques That Organizations Need to Know
- Preventing an Imminent Ransomware Attack With Early Detection and Investigation
- Inside the Halls of a Cybercrime Business
- Securing Cloud-Native Environments with Zero Trust: Real-World Attack Cases