Goodwin Insights
For Privacy + Cybersecurity
February 14, 2018

The Top 5 Data Security Scams of 2017

Over the past year, the sheer number of privacy and data security breaches has been staggering. Not only did they involve more high-profile companies, the methods they used to sow havoc also multiplied with some leading to subsequent, more damaging breaches.

A chair of Goodwin’s Privacy + Cybersecurity Practice identified five of the biggest privacy and data security scams from this past year. Here, she discusses some of the latest ways hackers and scammers can infiltrate even the most carefully protected companies and compromise sensitive information. Sharton fully expects these scams to continue into 2018 and that variations and new traps will be set for the unwary.

The W-2 Scam

Nearly every year between January and April, we see the W-2 scam. These are phishing emails purporting to come from the CEO or other high-level executive designed to trick employees -- typically in a company’s finance or HR department – to send all of the employees’ W-2 information to a fraudster. The fraudsters in turn use that information to file bogus tax returns and claim refunds. This year, the level of sophistication and how professional these scams appeared increased exponentially.

In the past, these types of emails were easy to spot because there was something obviously wrong with them, and people could tell it was spoofed. The spoofing has taken on new levels of sophistication. The email address looks exactly like one you would expect to see from your CEO or whomever the con artist is impersonating. And the reasoning behind needing the W-2s also sounds perfectly legitimate: the CEO says, “We are in a budget meeting setting salaries so we need all the W2s”, or something similar.

The Fake Wiring Instructions Scam

Hackers get into a company’s email system and seek out invoices the company pays routinely, using them to create a fake invoice. Maybe they see you paid $30,000 last month to Acme Corp., or $2 million to ABC Corp. They draft up a bogus invoice, change the wiring instructions at the end, and make it look like it came from the company that submitted it. They will register a domain name that’s just one letter off from the payee so that you don’t readily notice the transmission email is not from the legitimate company. Then, they send it as if it’s an email from the company owed the money. And all the while, they are hiding emails from the actual payee so that all you see is the phony correspondence. We saw a number of companies fall victim to this scam.

The Spoofed Website Scam

We saw more and more spoofed websites that look increasingly legitimate and sophisticated. They will encourage you to click on something, and then you are unwittingly downloading malware onto your system. The malware may allow hackers to spy on the company or collect sensitive data and hold it for ransom, as we saw with the WannaCry attack. We have seen these types of copycat schemes in the past, but they are becoming almost indistinguishable from the real websites.

The Auto-Forward Scam

In this scam, hackers are able to gain access to one or more employee’s email inboxes, usually through phishing.  The fraudsters typically will send out spoof emails that prompt you to download important documents and to enter your email credentials in order to access the materials. Once they get your credentials they are able to log into your email remotely as if they are you. Then, they set up email rules so that every single email to or from the CEO or other high-profile individual is automatically forwarded to the hacker’s inbox. This can give the criminals tremendous insight into what is going on at the company and can cause incredible damage.

The Nefarious Nation-State Scam

Finally, we saw an increase in hacking groups sponsored by nation-states like China and Russia, getting into systems at companies that hold sensitive data. Whether it’s Department of Defense data, or with a company holding information on big M&A deals, the hackers are obtaining sensitive information they can use to barter or blackmail. The scariest part is that many of these companies didn’t know the groups were in their systems until law enforcement contacted them or an information security firm discovered it during a routine check of the system. Only then did they find an advanced, persistent threat actor in their system that is known to be sponsored by a nation-state.