May 20, 2018
The respiratory treatment provider Lincare Inc., has agreed to resolve a class-action claim filed by workers whose W-2 information was transmitted to cybercriminals when a worker replied to a phishing cheat.
On February 3, 2017, a member of Lincare’s human resources division received an electronic mail from a high-level manager demanding copies of W-2 information for all workers of the company. Believing the electronic mail was a valid request, the worker replied and enclosed W-2 information for ‘a specific number of workers of Lincare and its associates.’
After learning the accidental leak of confidential information, Lincare got in touch with affected workers and presented them identity theft insurance, two years of credit monitoring, and remediation facilities without charge.
On October 16, 2017, three workers – Raymond T. Scott, Andrew Giancola, and Patricia Smith – took legal action versus Lincare alleging carelessness, breach of implied agreement, breach of fiduciary duty, and breach of Florida’s Deceptive and Unfair Trade Practices Act.
The court case survived a motion to let go and following arbitration a settlement was decided. Lincare has agreed to pay $875,000 to resolve the case with no confession of liability. $550,000 will be paid in compensation for class members with an additional $325,000 earmarked to pay class members who suffer an eligible occurrence like the filing of a false/fraudulent tax, opening of a false/fraudulent loan, or the opening of a false/fraudulent credit card.
W-2 Phishing Cheats and How to Safeguard Against Them
Last year, over 100 U.S. organizations suffered W-2 phishing cheats during tax season, leading to the disclosure of over 120,000 workers’ W-2 information. Many of the workers whose personal information was disclosed had their identities stolen and fake tax returns filed in their names.
W-2 phishing cheats are simple but extremely effective. These Business Email Compromise (BEC) attacks involve a scammer posturing as a senior manager. An electronic mail is sent to a worker in the payroll, finance, or HR department demanding copies of W-2 Forms of workers who have worked for the firm in the past year.
In some instances, the electronic mail address of a manager is spoofed, even though the most effective canvasses involve the use of the executive’s electronic mail account. Access to the account is typically gained via a phishing attack or by supposing a weak password using brute force tactics. The cheat misuses confidence in managers and the unwillingness of workers to doubt requests from senior managers.
Last year both the IRS and the FBI issued alerts over the sharp increase in BEC attacks during tax season, several of which targeted healthcare companies and educational institutes. Databreaches.net trails reports of successful W-2 phishing attacks and noted 145 attacks in 2016 and well over 100 in 2017. The correct figure will certainly be substantially higher as not all businesses publicly state that they have fallen for such a cheat.
The cost of the attacks can be substantial for the sufferers and, as this payment shows, the businesses whose workers have been deceived by the cheats.
Avoiding attacks needs a blend of technical and administrative actions.
- Spam filtering solutions can decrease the capability for phishing electronic mails to be delivered to workers and can obstruct tricked electronic mails, though they will not obstruct electronic mails sent from a compromised electronic mail account.
- The staff, particularly payroll, finance, and HR workers, must receive safety consciousness training and be alerted to the danger.
- Think about launching internal policies that forbid managers from making requests for W2 information through electronic mail.
- Policies must be developed that need any request for W-2 information through electronic mail to be confirmed by phone or face to face prior to any data are provided.