How to avoid falling for the phishing scam (W-2)

in #scam8 years ago

While this blog is nominally mine, I don't create ideas in a vacuum. This article on W-2 scams derived from a conversation I had with my colleague Steve Williams, who ended up being my co-author. Take a look at more about him at the end of this piece.Multiple times each year, LinkedIn feeds and information security online forums light up with examples of the most recent and greatest variations of phishing attacks. Most recently the hot stories have had to do with a simple targeted demand that prevents links, attachments, and malware, plays friendly with email filters, and appears extremely immediate to the recipient.

This form of phishing is understood as the W-2 scam. The W-2 fraud attempts to benefit from folks in accounting, controller and HR functions by providing immediate ask for staff member W-2 information. These messages get here throughout a time of the year when people in these roles completely anticipate to get messages from time-stressed CFOs or even CEOs asking for urgent action. In this circumstance, aggressors match social engineering and phishing to put the delicate personal details of staff members at danger. All this based on a well-timed email request, a choice made in the moment, and the SEND button.W-2 fraud: The best message at the right time The W-2 scam ranks up there with a few of the more impressive phishing attack techniques. It shows that the right message sent to the right individual at the correct time can supply immediate results. Why leave the advantage of this strategy to the bad people? The concept of getting the right content to the right individuals is one that we heros should aspire to make use of. If the combination of role-based phishing and social engineering can be this reliable in getting individuals to do the incorrect thing, then possibly we need to be looking for opportunities to use similar techniques to get them to do the right thing. If we can use exact targeting and timing for security awareness, maybe we can idea staff members in the best direction.After all, it makes no sense to educate everyone on the W-2 rip-off. Training all element blended with"exactly what not to do"assists empower individuals to make the best call when it matters.Victory over W-2 rip-off One company reported a triumph over the W-2 scam through their own internal"multi-factor authentication "procedure. This process required that any fund transfers or ask for sensitive information be examined and approved by two employee and then reviewed again prior to being finished by a 3rd individual. This procedure leveraged the "multi-factor"capabilities of people and shut down the rip-off when the second specific examining the demand saw disparities within the email and quickly confirmed that the CEO never made this request.To play defense successfully and win, you have to study the assailant's playbook and propensities. When it comes to social engineering and phishing frauds, they've got a page or perhaps even numerous chapters in the playbook for role-based attacks.The W-2 fraud supplies us with yet another example of how a security awareness program that adapts and activates in reaction to trending dangers-- and provides targeted material to particular functions-- uses an unique advantage over the"one size fits all "method. It boils down to this: Cybercriminals are getting crafty; we've got to get crafty too.About Steve Williams: Steve is the Director of Strategic Partnerships at MediaPro and has actually spent the previous four years helping business develop, launch and boost their security awareness and information personal privacy programs. Steve has worked along with and been taught by some of the most acknowledged security awareness and social engineering professionals. Steve currently supervises MediaPro's international collaboration program, working to bring together talentedsecurity and privacy minded business to much better equip individuals with the understanding required to protect and prevent today's dangers to info and privacy.

References:
IDG Factor Network
Channel365
www.channelthreesixfive.com
MediaPro