Employees Fall Victim to W-2 Phishing Scam, Sue Employer

September 16th, 2018
Employees Fall Victim to W-2 Phishing Scam, Sue Employer

Ever heard of the W-2 phishing scam? It's a hacking technique whereby scammers send fraudulent emails purportedly from a CEO or any high-ranking company official to employees to obtain their sensitive personal information such as name, address, social security number, and withholding tax. They use these information to commit tax-related identity theft, open a credit card, or take out a loan using your personal details.

For hackers, the perfect time to pull off this scam is during tax season. In fact, in early 2017, W-2 scammers tricked 100 organizations into releasing taxpayers' confidential information.

An employee who is tricked by a phishing email to send his or her private details may be viewed by the law as engaging in an intentional disclosure.This may be seen as the employer's fault for not training employees to protect against such threat.

Curry, et al. v. Schletter, Inc.

In 2016, a Schletter employee received an email request to release all employees’ W-2 tax information for verification purposes. Since the email appeared to be from their supervisor, the employee obliged and sent an unencrypted document containing 200 employees’ sensitive information.

The company handled the situation by simply notifying the employees about the incident -- six days after they’ve discovered it. They didn’t disclose any more details and just offered to pay two years of credit monitoring and identity theft protection services for every affected employee.

Dissatisfied with the offer and their lack of transparency, the employees filed a class-action lawsuit in federal court.

Data Breach or Data Disclosure

The lawsuit claimed that a company should not “intentionally communicate or otherwise make available to the general public an individual’s social security number.” If the leak was indeed done on purpose, the business could be accountable for treble damages, which is triple the amount that they must pay.

In response, Schletter filed a motion to dismiss the case and said it wasn’t their employee’s intention to release the details to the public. The federal court rejected the motion and stated that the email response was done intentionally even though it was requested under false pretenses.

This is where the difficulty of distinguishing between a disclosure and breach comes in. Since a cybercriminal didn’t hack the business’s systems and steal the employees’ information, the case can't be classified as a breach. However, the company employee's deliberate response made it a data disclosure case.

The court eventually ruled in favor of the employees who were able to claim damages from Schletter. Shortly thereafter, the company filed for bankruptcy.

Protecting your business from social engineering scams

Hackers will exploit employees' negligence to obtain sensitive information. In fact, your advanced firewalls and intrusion detection systems won't be of much help in the face of a phishing attack.

To increase your team's awareness, they should be trained to scrutinize questionable requests and practically transform them into human firewalls. You can achieve this via GNT Solutions’ robust cybersecurity training program, which simulates real-world cyberattacks and prepares your team against different types of scams. After the training, we’ll send you a report on employee phishing performance which can help identify gaps in awareness levels and provide you actionable tips for improvement.

Cybersecurity Policies

And as an added precaution, we also advise enforcing cybersecurity policies and limiting access to crucial information. These will reduce security risks and help your business abide by stringent government standards. Educating your team about the repercussions of data privacy violations will enable them to be more careful when handling sensitive data and comply more willingly with your business policies.

Perhaps you've always understood the importance of cybersecurity awareness, but never made it a priority. Now that the court might consider your employees’ unintentional actions as “intentional disclosure,” the stakes are even higher. Contact us to develop your own human firewall!