publications full of ideas
Don't Bite!
Shorts On Long Term Care March 2017

1.18.2017

In early February, the IRS issued “an urgent alert” concerning the latest version of the phishing scam that targets W-2 payroll information. In a scenario that has played out countless times, hackers generate a fraudulent email that looks like it came from an organization executive, asking HR personnel to send back employee W-2 forms in a return message. When the forms are sent, they are used to file fraudulent tax returns and for other malicious purposes. This particular scam generally works as follows:

An employee in the targeted organization’s HR department receives a “spoofed” email, which superficially appears to come from a high-ranking member of management;

The spoofed email asks the employee to respond with electronic copies of the previous year’s W-2 earnings statements (which will include employees’ social security numbers, compensation information and home addresses) for all of the organization’s employees; and

The employee, believing that he or she is being responsive to a request from senior management, replies to the spoofed email with the requested tax information.

While all “social engineering” scams seek to find and exploit human weaknesses in order to gain access to sensitive information, this scam is brilliantly cynical: it exploits the imbalance of power between senior management and subordinate personnel by inducing a sense of urgency and desire-to-please with the goal of overwhelming the subordinate’s ability to think critically about the information request. Like any good card trick, the spoofed email creates a psychological distraction that blinds the recipient to the sleight of hand taking place right before his or her eyes.

The consequences of a successful W-2 phishing scam can be extremely serious for the target. Data breach notification laws may require delivery of notices to affected employees, government agencies, credit reporting agencies and/or the media. The organization will also need to report the incident to local and federal law enforcement agencies, as well as the IRS. In short, it will be a costly, time-consuming, distracting and morale-draining experience to deal with the aftermath of a W-2 phishing scam.

In its February alert, the IRS emphasized this scam has begun circulating even earlier this year and is targeting a broader group of organizations including school districts, chain restaurants, and health care organizations. IRS Commissioner John Koskinen called it “one of the most dangerous email phishing scams we’ve seen in a long time.” He stressed the need for vigilance and prompt reporting of incidents to the IRS, by forwarding these messages to phishing@irs.gov, under the subject line “W2 scam.”

As always, the first line of defense against every scam is workforce training and vigilance. In addition to sensitizing personnel to this and other phishing dangers, the IRS recommends organizations adopt a formal written policy about the distribution of W-2 information and other sensitive data. We recommend adopting a general policy triggered whenever an employee gets a request for any sensitive data from a colleague, requiring the employee to start a new email to the purported originator of the message, and never reply directly to the email. You can see the IRS alert on this subject here

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601

what's new at the firm

Webinar: ERISA Fiduciaries, Data Privacy and Cybersecurity Risks: HIPAA, HITECH, and ERISA Preemption of State Data Breach Laws

6/20/2017

This CLE webinar will provide guidance to employee benefits counsel on trends in data breaches for ERISA healthcare and retirement plans, lessons from recent BCBS/Anthem litigation, ERISA fiduciary obligations, ERISA preemption of state data breach laws, and contractual risk mitigation with third-party administrators (TPAs).

Poyner Spruill Attorneys Honored by Chambers USA in Seven Practice Areas

6/2/2017

RALEIGH - Chambers USA: America's Leading Lawyers for Business has ranked seven practice areas and sixteen Poyner Spruill LLP attorneys as leaders in their respective fields. Poyner Spruill received rankings, which identify the firm as a leader in North Carolina, for outstanding work in the following practice areas:

Charlie Davis Joins Poyner Spruill

6/1/2017

Charles E. “Charlie” Davis III has joined Poyner Spruill as an associate attorney practicing in the areas of estate and trust planning and administration, taxation, and business law.

Brett A. Carpenter joins Poyner Spruill

6/1/2017

Raleigh, NC – Brett A. Carpenter has joined Poyner Spruill’s Raleigh office as an associate, with a focus on helping clients with labor and employment law matters.

Five Poyner Spruill Attorneys Recognized for Pro Bono Efforts

5/31/2017

Raleigh, NC – Four Poyner Spruill attorneys have been inducted into the inaugural cohort of the Pro Bono Honor Society by the N.C. Supreme Court.