Lincare Inc, a respiratory therapy vendor, consented to pay $875,000 to settle a class-action lawsuit that its employees filed for a breach of their W-2 details. The data breach happened on February 3, 2017 when a staff of the HR department replied to a phishing email. The staff seemingly received an email message from a high-level executive requesting to get copies of W-2 details of the company’s personnel. Believing that it was a real request, the HR staff provided the requested info.
When Lincare found out the unintentional disclosure of employee data, the affected people were informed and given credit monitoring and identity theft insurance coverage for 2 years and no cost remediation services. Even so, 3 employees particularly Raymond T. Scott, Patricia Smith and Andrew Giancola, submitted a lawsuit against Lincare on October 16, 2017. The accusations include negligence, infringement of fiduciary duty, infringement of implied contract and breaking the Florida’s Deceptive and Unfair Trade Practices Act.
The lawsuit resulted in a settlement that Lincare would pay $875,000 without admitting liability. Class members are going to be paid out with the total sum of $550,000. The remaining $325,000 is to be set aside for paying class members who suffer mishaps such as applying for a bogus credit card, submitting a fake tax or trying to get a bogus loan.
W-2 phishing scams have heightened during the last year with more than 100 U.S. companies becoming victims particularly over the tax season. The W-2 details of more than 120,000 employees were disclosed, a number of which had been utilized for submitting fraudulent tax returns and stealing individual identity.
Typically the W-2 phishing frauds are associated with Business Email Compromise (BEC) attacks wherein a scammer pretends as a senior exec requesting a staff in the finance or Human Resources team to give duplicates of the employees’ W-2 documents through email. At times, an executive’s email is spoofed; in other instances, the executive’s email account is utilized. The scammer gets access to the email account via a phishing attack or with a brute force attack in order to crack weak security passwords. Since many personnel submit to their senior officers and are not willing to doubt requests, they become victims of the phishing email.
Databreaches.net stated that there were 145 W-2 phishing attacks were reported in 2016 and over 100 attacks were reported in 2017. The actual number could be higher given that not all organizations report this kind of occurrences. To prevent being victimized by such attacks, these are a few administrative and technical recommendations:
- Use spam filtering solutions to minimize receiving phishing emails and to block spoofed email messages. Nonetheless, this isn’t enough to stop emails from hacked email accounts.
- Provide extra security training of employees from the HR, payroll and finance departments.
- Create internal policies which prohibit executive officers to request W2 info through email.
- Create guidelines necessitating proof of identity via phone call or individual appearance when asking for W-2 information.