January 16, 2018

The Top 5 Data Security Scams of 2017

Over the past year, the sheer number of privacy and data security breaches has been staggering. Not only did they involve more high-profile companies, the methods they used to sow havoc also multiplied with some leading to subsequent, more damaging breaches. 

A chair of Goodwin’s Data, Privacy and Cybersecurity Practice, identified five of the biggest privacy and data security scams from this past year. Here, she discusses some of the latest ways hackers and scammers can infiltrate even the most carefully protected companies and compromise sensitive information.

The W-2 Scam

Nearly every year between January and April, we see the W-2 scam. These are phishing emails purporting to come from the CEO or other high-level executive designed to trick employees -- typically in a company’s finance or HR department – to send all of the employees’ W-2 information to a fraudster. The fraudsters in turn use that information to file bogus tax returns and claim refunds. This year, the level of sophistication and how professional these scams appeared increased exponentially. 

In the past, these types of emails were easy to spot because there was something obviously wrong with them, and people could tell it was spoofed. This year, the spoofing has taken on new levels of sophistication. The email address looks exactly like one you would expect to see for your CEO or whomever the con artist is impersonating. And the reasoning behind needing the W-2s also sounded perfectly legitimate: We are in a budget meeting; we need to set salaries; we’re in a compensation meeting; we need everybody’s W-2. 

The Fake Wiring Instructions Scam

Hackers get into a company’s email system and seek out invoices the company pays routinely, using them to create a fake invoice. Maybe they see you paid $30,000 last month to Acme Corp., or $2 million to ABC Corp. They do up a bogus invoice, change the wiring instructions at the end, and make it look like it came from the company that submitted it. They will register a domain name that’s just one letter off so that you don’t readily notice the transmission email is not from the legitimate company. Then they send it as if it’s an email from a company owed the money. And all the while, they are hiding emails from the actual payee so that all you see is the phony correspondence. We saw a number of companies fall victim to this scam.

The Spoofed Website Scam

This year we saw more and more spoofed websites that look increasingly legitimate and sophisticated. They will encourage you to click on something, and then you are unwittingly downloading malware onto your system. The malware may allow hackers to spy on the company or collect sensitive data and hold it for ransom, as we saw with the WannaCry attack. We have seen these types of copycat schemes in the past, but they are becoming almost indistinguishable from the real websites. 

The Auto-Forward Scam

In this scam, hackers are able to gain access to one or more employee’s email inboxes, usually through phishing.  The fraudsters typically will send out spoof emails that prompt you to download important documents and to enter your email credentials in order to access the materials.  Once they get your credentials they are able to log in to your email remotely as if they were you.  Then, they set up email rules so that every single email to or from the CEO or other high-profile individual is automatically forwarded to the hacker’s inbox. This can give them tremendous insight into what is going on at the company and can cause incredible damage.

The Nefarious Nation-State Scam

Finally, we saw an increase in hacking groups sponsored by nation-states like China, Russia and Ukraine, getting into systems at companies that hold sensitive data. Whether it’s the Department of Defense, or somebody with information on big M&A deals, they are obtaining sensitive information they can use to barter or blackmail. The scariest part is that many of these companies didn’t know the groups were in their systems until law enforcement contacted them or a forensic firm discovered it during a routine check of the system. Only then did they find an advanced, persistent threat actor in their system that is known to be sponsored by a nation-state.