An employee was fired from a company after they fell for a phishing scam involving W-2 data.
The unnamed individual previously worked for Alpha Payroll, a payroll and merchant services provider that provides payment processing services to companies located all over the United States.
Alpha’s leadership terminated the employee following an incident that occurred earlier this year. As set forth in a letter sent to the Attorney General of New Hampshire:
“On or about March 1 or 2, an Alpha Payroll employee responded to a ‘phishing’ scam email in which the sender represented him self or herself to be the CEO of Alpha Payroll and disguised his or her email address as that of the CEO. In this email, the fraudster requested copies of all the 2015 W-2 forms produced by Alpha Payroll on behalf of its customers. As a result of hidden commands embedded within the email by the sender, upon responding to the email, the reply message was rerouted and sent to the email account of the third-party sender.”
CEO fraud involving W-2 data is just one of the scams the IRS has detected this tax season.
Back in March, an employee of an Arizona-based supermarket chain also fell for a W-2 phishing scam that might have compromised the sensitive personal information of 21,000 employees. No mention of punitive action against the employee was made, however.
The same cannot be said for Alpha Payroll.
On April 8, the payroll services provider received notice from one of their customers that someone had filed fraudulent tax returns using their employees’ information. Alpha quickly launched an investigation, hired forensic experts, contacted law enforcement, and “promptly terminated the employee.”
It is currently unclear why Alpha Payroll fired the employee, though the deleterious consequences of such a move are worth noting.
“If you fire every employee who clicks a Phish you will soon have no employees,” commented Cris Thomas, security expert and Strategist at Tenable, as quoted by Salted Hash. “While anti-Phishing training may reduce the number of incidents, it will never be 100-percent effective. It only takes one person to click, even by mistake. You need to assume that a Phish will succeed, that bad guys will get in. It’s what you do after the attack that matters.”
Salted Hash goes on to note there is some evidence indicating that Alpha Payroll might have an internal policy barring employees from sharing W-2 data.
Clarification from the head of Alpha Payroll is at this time still pending.