5-Step Plan for Employers to Defeat Text Message ‘Smishing’ Scams

Have you received a text from a random number in the last few days? Perhaps the text looks quite obviously suspicious, but it could pass as legitimate – especially if you are distracted or multitasking while scrolling through your device. The text contains a link asking you to confirm the delivery or receipt of a package. Or it tells you that you have just paid a bill. Or need to pay an outstanding bill. Or it could just be advertising a random product. These texts are actually scams that have been dubbed “smishing” – combining “SMS” and “phishing” – and your employees are no doubt receiving them, too. In a remote-work era where a multitude of attackers are attempting to gain access to your company network through digital vulnerabilities, the time is now for employers to guard yourself against this latest weapon in the cyberwar raging all around us. What are the five steps your organization can take today to best prepare?

What is Smishing?

“Smishing” is a version of phishing carried out over SMS (short message service, commonly known as texting) channels. The senders of these malicious texts are trying to get hold of personal information, passwords, and money.

Smishers start by sending a text impersonating a reputable company. Typical smishing attempts specifically involve using the name of common parcel carriers informing you that your package has been delivered, or fake texts seemingly coming from a bank, company vendor, or other common company name. The messages almost always have a link. Unfortunate recipients who click that link will often end up having unsuspecting malware downloaded to their devices, or will be lead to a legitimate-looking form to “log in” and voluntarily provide a trove of valuable data.

Smishing is the New Cyberattack

There is ample evidence indicating a rapid increase in smishing attempts. Smishing attacks increased 24% in the U.S. alone and 69% globally last year. According to data from the Federal Trade Commission, 21% of fraud reports that were filed in 2021 involved smishing. That’s 377,840 out of the total 1,813,832 reports that identify a contact method. Of those hundreds of thousands of claims, a total of $131 million was lost, with an average of $900 per report.

Work-from-home and hybrid work arrangements have led your employees to use their mobile phones and company devices at an increasing rate. This has led many of these smishing attacks to have a workplace component.

What Can Employers Do? A 5-Step Plan to Combat Smishing

So what can you do to address this latest cyber-concern? Here are five steps your organization can take to put yourself in the best position.

1. Develop Strong BYOD Policies
   First, you should have – and enforce – strong BYOD (bring your own device) policies. They should include employee obligations relating to data security on company devices, with a new emphasis on smishing scams.
   
   Among other things, the policy should advise employees that they must protect confidential, proprietary, and non-public information, and that they should not allow non-employees to copy or download such information. The policy should also require employees not to share remote access addresses, logins, or passwords with anyone, even if they believe that the individual requesting the information has already been approved for remote access.
2. Stay Up to Date
   Next, you should make sure you keep company issued phones’ software and web browsers up to date to take advantage of build-in protection features. Ask your employees to do the same for personal devices being used for business purposes.
3. Keep Things Need-to-Know
   You should also take steps to make confidential or other sensitive information available only on a need-to-know basis. This will minimize the spread of the information and opportunities for cybercriminals to access company data if a device is compromised. You should advise employees who do have access to such information not to provide it in response to a request delivered through text message.
4. Enable Multi-Factor Authentication
   You should also consider requiring multi-factor authentication to access company systems. This will provide extra security in the event an employee has their password compromised.
5. Train, Train, Train
   Finally, and perhaps most importantly, you should instruct employees to be wary of unsolicited requests for information sent by text and phone call. Educate your employees on the typical hallmarks of smishing schemes, including the sense of urgency often embedded into the message, such as a “limited-time offer” or other call for immediate action. You should caution employees not to tap links in an unexpected text message.
   
   If employees are unsure if the text is legitimate, you should train them to contact the company associated with the text request through a separate source, such as a previously verified phone number. If they receive a text from an unknown number from someone indicating they are a co-worker, you should train the recipient to follow up with the purported sender via company email or phone to confirm the text message.

Beware of Form W-2 Phishing Scheme, Authorities Warn

As tax season begins, the IRS is urging employers to educate their HR and payroll staff about a Form W-2 phishing scam that victimized hundreds of organizations and thousands of employees last year.

“The Form W-2 scam has emerged as one of the most dangerous phishing e-mails in the tax community,” the IRS said in a January 2018 alert. During the last two tax seasons, “cybercriminals tricked payroll personnel or people with access to payroll information into disclosing sensitive information for entire workforces,” the alert noted.

Reports about this scam jumped to approximately 900 in 2017, compared to slightly over 100 in 2016, the IRS said. As a result, hundreds of thousands of employees had their identities compromised.

The IRS described the scam as follows:

• Cybercriminals posing as executives send e-mails to payroll personnel requesting copies of Forms W-2 for all employees, using a technique known as business e-mail compromise (BEC) or business e-mail spoofing (BES).

• The Form W-2 contains the employee’s name, address, Social Security number, income and withholdings. Criminals use that information to file fraudulent tax returns, or they post it for sale on the dark net.

• The initial e-mail may be a friendly, “hi, are you working today?” exchange before the fraudster asks for all Form W-2 information.

The IRS gave these examples of what appear to be e-mails from top executives at the organization:

• Kindly reply with all W-2s of our company staff for a quick review. I need them in PDF file type, and you can send it as an attachment.

• Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary)? Kindly prepare the lists for me asap.

The scam affected all types of employers last year, from small and large businesses to public schools and universities, hospitals, tribal governments and charities, the IRS said.
(more…)

New Scam Targeting HR & Payroll

A number of employers have recently fallen victim to a phishing scam that tricks them into disclosing highly sensitive employee information to unknown third parties. Make sure to warn your Human Resources and Payroll Departments to be on the alert so that your company doesn’t get added to the ranks of those swindled.

The Latest Scam

In the wake of tax season, multiple businesses have reported receiving spoofing emails, usually sent to Payroll and Human Resources departments / personnel. The emails appear to be requests from in-house high-level company executives, including in some instances the CEO, requesting that employee W-2 tax forms be transmitted to them for various administrative purposes. In reality, these emails are phishing expeditions sent by outside data thieves, who use cloned company email addresses with authentic-looking company logos, colors, and signatures.

If the recipients are deceived into thinking the emails are legitimate company correspondence, they will comply with the request and end up delivering W-2 forms to the scam artists. These forms contain a treasure trove of employee personal data, including Social Security numbers and other personally identifiable information. The successful hackers often use the data obtained from this phishing scam to file fraudulent tax returns on behalf of company employees.

You May Have Been Hacked And Don’t Even Know It

The IRS has reported a 400% increase in phishing and computer malware incidents this tax-filing season, and many companies that have been compromised still don’t realize it. In the coming weeks, as your employees attempt to file tax returns, you may learn that they are unable to file because someone else has already submitted a tax return on their behalf. The source of this data breach may be your company.

What You Should Do

You should immediately warn your employees about the risks associated with this new scam. You should specifically train your Payroll, Human Resources, and any other group of employees with access to personal identifiable information to be on the lookout for these phishing attempts or other red flags, such as requests for information not typically requested, or requests from individuals with whom the employees do not typically directly communicate. You should also take active security steps to ensure that personal data is only transmitted using secure methods.

If you believe your company is a victim of this scam, you may have a legal obligation to follow applicable data breach notification requirements. Besides determining your legal responsibilities, which vary from state to state, you should consider encouraging your employees to monitor their credit reports and take all of the usual measures to prevent identity theft. You should also suggest they file their tax returns as soon as possible in an effort to avoid the filing of fraudulent tax returns on their behalf.