Cybercriminals are increasingly targeting HR departments near tax season. A sophisticated new campaign involves fake W-2 requests.
How the Scam Works
Emails appear to come from the CEO or CFO, requesting immediate access to W-2 forms for all employees. The spoofing is high-quality, often using look-alike domains or even compromised internal accounts.
Business Email Compromise (BEC)
BEC is the heavy-hitter of the phishing world. Unlike generic spam, a BEC attack is highly researched. The attacker may have spent weeks monitoring an executive's social media or compromised a vendor's email thread to wait for the perfect moment to inject a fake invoice or payroll change request. For a cybersecurity SME, BEC represents a financial risk that can bypass many technical filters because it relies on social authority.
Red Flags to Watch For
- Urgent requests for sensitive data ("Need this ASAP for audit").
- Slightly misspelled domain names (e.g., corpporation.com vs corporation.com).
- Requests to bypass standard procedures or send files to personal emails.
Out-of-Band Verification Protocols
The solution to sophisticated phishing isn't more software—it's a process. Every request for sensitive data or financial changes must be verified using an "Out-of-Band" method. This means if you get an email, you call the person on a known phone number or speak to them in person. Never use the contact information provided in the suspicious email. As a leading cybersecurity SME, enforcing this one rule can eliminate 99% of phishing risk.
Read more about spotting deepfakes in our AI Phishing Guide.
