In a statement made by Seagate spokesperson Eric DeRitis to Brian Krebs of krebsonsecurity, it was confirmed that storage device manufacturer company Seagate was targeted by a phishing attack that allowed attackers to steal employee income tax information. The attack came in the form of a typical phishing scam: a Seagate employee received what appeared to be an email from Seagate CEO Stephen Luczo requesting for the 2015 W-2 data of current and former Seagate employees. The request was believed to be legitimate, resulting in the theft of personal data of several thousand employees.
Seagate is the latest organization to fall victim to a high-impact phishing attack. Less than a week ago, employees of the photo- and video-sharing messaging app Snapchat also fell for a similar scam. Three days ago, Mansueto Ventures, the publisher of Inc. and Fast Company magazines, also fell for the same scheme, which caused the exposure of employee information that included wage information and social security numbers.
Tax season in the US and other countries has begun, and it's typical for enterprising criminals to use these schemes to victimize not just individuals, but organizations as well. According to Krebs, W-2 data, which was stolen from the Seagate incident, contain virtually all the information one needs to perform tax refund fraud. Last year alone, W-2 information of over 300,000 victims was successfully stolen off the Internal Revenue Services (IRS) website.
With these types of phishing attacks, along with the prevalence of Business Email Compromise (BEC) scams, companies should be more security-conscious– treating security as something taken up for prevention rather than a cure (i.e. after the security incident has happened).
The storage giant has already notified affected employees of the incident and afforded membership to credit monitoring services. However, the bigger issue remains that an attack such as this will continue to catch employees and individuals off guard.
A deeper security mindset should be forged, while sufficient knowledge of social engineering lures, and its repercussions to individuals and companies, should be strengthened. Employee awareness of practices and measures involving various attack tactics used to scam individuals or, in this case, employees, should be implemented. BEC schemes, as seen in recent events, continue to plague companies with age-old techniques that turn employees into easy accomplices. That said, a dialogue with the workforce on verifying email messages and its sources should be intensified.