(WFLA) — You would never expect your company to willingly hand over your personal information to a hacker, but it’s happening all the time. That’s because hackers are spoofing the email addresses of CEOs, so employees don’t realize they’re sending sensitive information to a hacker until it’s too late.
In some cases, hackers are obtaining W2 information so they can fill out bogus tax returns and make off with refunds.
The FBI refers to the scam as “Business Email Compromise,” and it can come in different forms. Between October 2013 and March 2016, the FBI reports more than 12,000 cases of BEC in the U.S. resulting in more than $900 million in losses. In Florida, there are more than 700 reported cases resulting in more than $29 million in losses.
In one incident, hackers targeted a law firm. According to a letter sent by the firm to the Attorney General in New Hampshire, an email looked like it came from the CEO and the employee willingly sent W2 forms to the hacker.
Stu Sjouwerman, Founder and CEO of KnowBe4, Inc, said there are methods companies can use to ward off these types of scams.
“Reconfigure the email servers. Make sure an email that comes from the outside, shouldn’t be able to get in. So they can block that,” he said.
The IRS has a form for victims of ID theft. It can be filed before fraud occurs, or after – including when hackers file returns and make off with refunds.
IRS Identity Theft Affidavit: https://www.irs.gov/pub/irs-pdf/f14039.pdf
Free Email Spoof Test from KnowBe4, Inc: https://www.knowbe4.com/domain-spoof-test/
Report crime through the FBI’s Internet Crime Complaint Center: http://www.ic3.gov/default.aspx
Phishing/Spoofing tips from the FBI:
– Be suspicious of any unsolicited email requesting personal information.
– Avoid filling out forms in email messages that ask for personal information.
– Always compare the link in the email to the link that you are actually directed to.
– Log on to the official website, instead of “linking” to it from an unsolicited email.
– Contact the actual business that supposedly sent the email to verify if the email is genuine.