Another Data Breach Highlights Need For Phishing Training

On March 6th, the Silicon Valley firm, Coupa, fell victim to a phishing attack that compromised the personal information of employees who worked for them in 2016. A scammer impersonated the company’s CEO and requested that payroll information (Form W-2) for the 2016 tax year be sent via email.

Fraudsters continue to increase the number of W-2 phishing scams, also known as business email compromise – BEC – or CEO fraud attacks. These incidents involve attackers, often impersonating the CEO, tricking someone within the company into giving them W-2 tax records or other valuable information.

Why steal W-2 forms? Because they contain employees’ names, addresses, Social Security numbers, and wages. Accordingly, they serve as an easy, one-stop shop for fraudsters, who can use the information to file fake tax returns and obtain a refund, among other types of identity theft.

Coupa was one of the numerous companies recently targeted by this ‘phishing’ scam. “Dissent,” the administrator of breach-analysis site, tallied at least 175 W-2 phishing incidents in 2016 as well as at least 130 already in 2017 with the Coupa phishing attack being the 128th.

According to security experts, these W-2 attacks, like all phishing attacks are most reliably prevented by training employees properly as well as regularly testing that training.

Coupa, based in San Mateo, California, provides cloud-based, spending management software for businesses, and counts Caterpillar, NEC, Salesforce and Staples among its customers.

According to the breach notification letter, the information exposed includes name, Coupa employee ID, Social Security number, the state of residence and work, 2016 wages earned, as well as additional information relating to benefits and taxes. The danger of stolen W-2 data, including Social Security numbers, which individuals rarely change, is that much of it could be used at any point in the future by fraudsters.

Training remains the best defense against such attacks, says Chris Pierson, CSO and general counsel for financial tech payment firm Viewpost. “Training your HR and finance teams is absolutely critical and highly effective at stopping these scams since these functions must be targeted,” says Pierson, who also advises the Department of Homeland Security on data privacy and cybersecurity matters. “Technical controls are much less effective, especially if these scams are highly targeted.”

It’s not just HR teams, anyone who has regular access to valuable personal information should have training on how to spot a fraudulent email as well as what steps to take if they have suspicions.


If you’d like more information on phishing testing and training for your teams call ITPAC today.