The tax data of 21,000 employees from over 200 stores across the United States are the subject of another phishing attack—this time involving supermarket chain Sprouts Farmers Market, according to a report yesterday. Founded in 2001, Sprouts is a specialty grocery store that offers fresh produce, health food, vitamins, and supplements. The Arizona-based corporation adds to the growing line of organizations victimized by phishing attacks that successfully stole W-2 data.
Donna Egan, Sprouts spokeswoman confirmed this incident in a statement saying, “Sprouts is working with the FBI and the IRS to investigate this crime and to determine the best ways to protect team member tax information. Anyone who received a W-2 form from Sprouts for 2015 may be impacted.”
According to Egan, the W-2 phishing scam began with an email message directed to the payroll department. The email was written as a formal request from one of the company’s executives to gain access of the 2015 W-2 statements of its workforce, to which the company admitted to have complied. The records were duly compiled and sent. Not long after, it was discovered that the request resembled techniques used by other recent incidents.
The same technique was used to trick a Seagate employee into supplying the same kind of information to an unknown recipient less than a month ago, which led to the exposure of data of former and present employees. At the tail-end of February, an official letter directed to Snapchat employees shared “remorse” and “embarrassment” after an employee was duped into divulging sensitive information that led to the theft of the payroll information of its employees.
Phishing attacks and the slew of Business Email Compromise (BEC) scams such as this are normally meant to con a target to wire money out of the company to an account that cybercriminals control. But the recent string of attacks also shows that the ruse has also been effective for stealing tax information and employee PII.
During tax season, cybercriminals are well aware of how to bank on profitable information that can easily be mined. Attackers continue to ramp up means to victimize not just individuals but, as the trend shows, even organizations. Why? Security journalist Brian Krebs notes that W-2 data stolen from Sprouts and other organizations mentioned can be used to perform tax refund fraud—apart from the possibility of being sold underground, or used to stage further attacks. In 2015, over 300,000 tax payers were victimized by a breach of the Internal Revenue Services (IRS) website.
While reports of the surfacing of newer and more modern techniques used to make more profit out of unknowing victims via phishing attacks warn us of the bad guys’ continuing effort to rake in profit out of users and enterprises, the recent reports we have seen in the past few months indicate how phishers still resort to age-old tactics and tried-and-tested techniques to carry out an attack—and they continue to succeed in doing so. This type of ruse significantly relies on an employee’s lack of awareness and toys with his/her trust to get what is demanded.
While investigations are still ongoing, Sprouts shared that employees are provided with a free one-year credit monitoring service. However, employees openly share discontent and fear of the impact of the security blunder. That said, employees continue to willingly turn into cybercrime accomplices given the nonexistence of cybersecurity awareness and education that are useful to ward off notorious attack strategies like the one used in the Sprouts phishing attack.
Corporations should invest in crafting actionable means to deepen its employees’ security mindset—from developing sufficient knowledge of social engineering lures and its damaging repercussions to the individual and the company, to simple practices of verifying sources of email messages sent their way.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).