Criminals pretending to be CEOs are hoping to breach the personal information of employees at various companies — and in some cases, have succeeded.
In late February, popular app Snapchat's payroll department was targeted by the phishing scam in which a scammer impersonated the company's CEO in an email asking for employees' payroll information, according to Snapchat's blog.
"Unfortunately, the phishing email wasn’t recognized for what it was — a scam —and payroll information about some current and former employees was disclosed externally," noted the blog post titled "An Apology to Our Employees."
The names, Social Security numbers and wage information — from W-2 tax forms — for approximately 700 past and present Snapchat employees was breached, according to the Los Angeles Times.
"The good news is that our servers were not breached, and our users’ data was totally unaffected by this. The bad news is that a number of our employees have now had their identity compromised," the blog read.
Snapchat confirmed within a few hours that the phishing attack was an isolated incident and reported it to the FBI.
In the blog post, the company promised to "redouble" its privacy and security training programs [for its employees] in the coming weeks.
Less than a week after the Snapchat incident, data storage company Seagate Technology also fell victim to the same type of scam, according to cyber security expert Brian Krebs.
A Seagate employee who believed the email scam was a legitimate company request gave away W-2 tax documents on all current and past employees, Krebs reported on his KrebsonSecurity website.
GCI, an Alaskan ISP and telecom provider gave thieves more than 2,500 employees' W-2 forms in a similar phishing scam, according to Alaska-based KTVA.com.
The information contained on the W-2s includes Social Security numbers, names and addresses and 2015 income and tax withholding information, according to KTVA.
The FBI is currently investigating both the Seagate and GCI crimes.
Using the same spoofing email created to look as if if it was sent by the company's CEO, a scammer also recently targeted security awareness training company KnowBe4 by reaching out to its controller and asking for employees' tax information, Krebs also reported.
The KrebsonSecurity website article said that the KnowBe4's controller responded to the phishing email by stating that while she didn't have access to employees' W-2 forms, the new CFO could help.
The CFO had just completed awareness training and knowing the email was possibly a phishing attack, asked the CEO if he had requested the information.
The CEO responded that he had not and was glad his team had thwarted the breach.
Criminals who commit tax refund fraud value W-2 information because it contains a wealth of data needed to fraudulently file someone’s taxes and request a large refund in their name.
It's important to always be wary of emails requesting personal information, whether a query into your personal email inbox or your work account. Verifying in person with whomever is requesting personal identifiable information is a vital practice to ensure private information remains secure and does not get into the wrong hands.
While hackers often use sophisticated means to break into servers and breach people's sensitive information, simply being unaware that phishing emails exist and human error can also lead to breaches and identity theft.