4 FAQs about W-2 business email compromise attacks during tax season

Did you know: Tax season is the most popular time of the year for W-2 related cyber attacks. Phishing emails will often request employees to provide W-2s by return email. Continue reading this blog post for four FAQs about W-2 business email compromise attacks.


The most likely cyber attack a company will face will come in the form of an email. One of the most common forms of email attack is the business email compromise (BEC), and the most popular time of the year for the W-2 version of BEC is right now — tax season.

A BEC attack involves attackers sending emails disguised as coming from high-level executives within a company, such as the CEO, to lower level personnel. During tax season, the spoof email will often request that W-2s for employees be provided by return email.

While the email looks identical to the executive’s email, it is coming from — and then returned to — the criminal, not the executive, along with the W-2s and the personal information associated with the documents.

If an employee falls for the scam, the company now has experienced a serious data breach and must comply with certain legal requirements. Worse yet, the company’s employees’ sensitive personal information has been given to the attackers and they have this problem to worry about instead of performing their job. The disruption is substantial in their personal lives and for the company’s operations.

How do attackers use W-2 information?

In most cases, once the attackers have that W-2 information, they use it to attempt to file fraudulent tax returns for those employees and have their tax refunds sent to them instead of the employee. They also use it for traditional identity theft.

The attackers act very quickly once the information is obtained. In some cases, they have begun to fraudulently use the information on the same day they obtained the W-2 information from the company. Time is truly of the essence in responding to these attacks and legal assistance is necessary for properly responding to these data breach events.

Why do so many attacks happen during tax season?

Law enforcement officers and cybersecurity professionals report a drastic increase in these types of attacks during the beginning of each year because of tax season. This is consistent with what is seen in helping companies with these cases in past years, as well. The reason this type of attack is so common during tax season is because of the tax-related fraud aspect of this type of attack. That is, the attackers monetize their attacks by using the fraudulently obtained information to file fraudulent tax returns and obtain refunds from innocent victims.

And the sooner they can do this, the better their chances are of getting the refund before the taxpayer files and receives their tax refund.

If a company has not yet been targeted, it is likely that it will be very soon so it is important to be prepared.

What can you do to protect your company?

Educating employees is critical because they will be the ones who receive the emails from the attackers.

  • Make them aware of this issue by sharing the information in this article with them so that they understand the threat, how it works and how it could affect them personally.
  • Train them by having appropriate personnel discuss this threat with them and help them understand that they should be very suspicious of any requests to email out anything of this nature (or make payments, such as with the very similar wire transfer version of the BEC).

Have appropriate internal controls in place to protect against these types of attacks. These controls can include:

  • Limit who has access to your company’s W-2s and other sensitive information as well as who has the authority to submit or approve wire payments.
  • Have established procedures in place for sending W-2 information or other sensitive information as well as for submitting or approving wire payments so that dual approvals are required for these activities.
  • Require employees to use an alternative means of confirming the identity of the person making the request. If the request is by email, the employee should talk to the requestor in-person or call and speak to the requestor using a known telephone number to get verbal confirmation. If the request is by telephone or fax (many times they are), then use email to confirm by using an email address known to be correct to confirm with the purported requestor. Never reply to one of these emails or call using a telephone number that is provided in one of these emails, faxes, or telephone calls.

What to do if your company is hit by an attack

  • Immediately contact experienced legal counsel who understands how to guide a company through these incidents and, ideally, has appropriate contacts with law enforcement and the IRS to assist in reporting this incident quickly.
  • Report the incident to the FBI or Secret Service and appropriate IRS investigators so that the IRS can implement appropriate procedures to protect the employees whose information was exposed in the W-2s.
  • Prepare appropriate notifications to the people whose information was exposed and comply with all legal and regulatory reporting requirements. This should be a part of an existing incident response plan. Companies should have such a procedure in place to be better prepared if and when a security breach occurs.
  • Inform employees that the IRS will never contact them directly, for the first time, via email, telephone, text message, social media or any way other than through a written “snail mail” letter.

SOURCE: Tuma, S. (19 February 2019) "4 FAQs about W-2 business email compromise attacks during tax season" (Web Blog Post). Retrieved from https://www.benefitspro.com/2019/02/19/4-faqs-about-w-2-business-email-compromise-attacks-during-tax-season/


5 Ways to Spot a Phishing Email

Has your organization been affected by phishing attacks? One of the most common types of online threats are phishing emails. Read this blog post to learn five ways to spot a phishing email.


A phishing attack is a form of social engineering by which cybercriminals attempt to trick individuals by creating and sending fake emails that appear to be from an authentic source, such as a business or colleague. The email might ask you to confirm personal account information such as a password or prompt you to open a malicious attachment that infects your computer with a virus or malware.

Phishing emails are one of the most common online threats, so it is important to be aware of the tell-tale signs and know what to do when you encounter them. Here are five ways to spot phishing attacks.

1. The email asks you to confirm personal information

Often an email will arrive in your inbox that looks very authentic. Whether this email matches the style used by your company or that of an external business such as a bank, hackers can go to painstaking lengths to ensure that it imitates the real thing. However, when this authentic-looking email makes requests that you wouldn’t normally expect, it’s often a strong giveaway that it’s not from a trusted source after all.

Keep an eye out for emails requesting you to confirm personal information that you would never usually provide, such as banking details or login credentials. Do not reply or click any links and if you think there’s a possibility that the email is genuine, you should search online and contact the organization directly  – do not use any communication method provided in the email.

2. The web and email addresses do not look genuine

It is often the case that a phishing email will come from an address that appears to be genuine. Criminals aim to trick recipients by including the name of a legitimate company within the structure of email and web addresses. If you only glance at these details they can look very real but if you take a moment to actually examine the email address you may find that it’s a bogus variation intended to appear authentic ‒ for example: @mail.airbnb.work as opposed to @Airbnb.com

Malicious links can also be concealed with the body of email text, often alongside genuine ones.  Before clicking on links, hover over and inspect each one first.

3. It’s poorly written

It is amazing how often you can spot a phishing email simply by the poor language used in the body of the message. Read the email and check for spelling and grammatical mistakes, as well as strange turns of phrase. Emails from legitimate companies will have been constructed by professional writers and exhaustively checked for spelling, grammar and legality errors. If you have received an unexpected email from a company, and it is riddled with mistakes, this can be a strong indicator it is actually a phish.

Interestingly, there is even the suggestion that scam emails are deliberately poorly written to ensure that they only trick the most gullible targets.

4. There’s a suspicious attachment

Alarm bells should be ringing if you receive an email from a company out of the blue that contains an attachment, especially if it relates to something unexpected. The attachment could contain a malicious URL or trojan, leading to the installation of a virus or malware on your PC or network. Even if you think an attachment is genuine, it’s good practice to always scan it first using antivirus software.

5. The message is designed to make you panic

It is common for phishing emails to instill panic in the recipient. The email may claim that your account may have been compromised and the only way to verify it is to enter your login details. Alternatively, the email might state that your account will be closed if you do not act immediately. Ensure that you take the time to really think about whether an email is asking something reasonable of you. If you’re unsure, contact the company through other methods.

Ultimately, being cautious with emails can’t hurt. Always remember this top STOP. THINK. CONNECT.™ tip:

When in doubt, throw it out: Links in emails, social media posts and online advertising are often how cybercriminals try to steal your personal information. Even if you know the source, if something looks suspicious, delete it.

SOURCE: James, M. (22 August 2018) "5 Ways to Spot a Phishing Email" (Web Blog Post). Retrieved from https://staysafeonline.org/blog/5-ways-spot-phishing-emails/


What's in a Password?

What's in a Password?

Most websites and services encrypt passwords before storing them on their servers. As a result, even if hackers were to gain access to the password, they wouldn’t have access to the actual text that makes up your password.

Once criminals gain access to an encrypted password, they can use sophisticated programs to quickly guess every combination of letters, numbers and symbols until your password is cracked. As a result, longer passwords and those that contain a large variety of characters will be very difficult for programs to guess.

However, just because effective passwords should be complex, doesn’t mean that they should be difficult to remember.

The next time you need to think of a unique password, try using a favorite song lyric or quote. This will make a password that’s long and difficult for hackers to crack, and has the added benefit of being very memorable.

Turning a simple phrase like “your guess is as good as mine” into “yourguessisasgoodasmine” actually makes for a strong, and in this case ironic, password! However, be sure to add a capital letter or special character as well to make your password that much stronger.

A Balancing Act Between Memorable and Complex

Thinking of a new password can be frustrating—every service and website seems to have different requirements about length, complexity and special characters. In order to secure yourself against hackers, it’s important to think of a password that’s both memorable and complex.

Helpful Hints

Your password will only remain secure if you take steps to protect it. Be sure to never write your password down and leave it where someone can see it. Instead, consider using a password management tool. These online services will store all of your login IDs and passwords for you, but you should do some research and make sure that the service you use is reputable.

Provided by: Hierl's Property & Casualty Experts

Download the PDF.

What are the 25 most commonly stolen passwords?

Download the PDF.

Cyber Risks & Liabilities: September/October 2018

In this Issue

Who’s to Blame if a Security Breach Affects Your Organization?

A recent survey found that 70 percent of consumers expect businesses to take responsibility in the event of a data breach. But who within your organization should take the heat?

Acronyms All Businesses Need to Know

As cyber security evolves, it’s easy to become overwhelmed with all the terms and acronyms used. This article lists some of the most common acronyms in cyber security.

Increase in Attacks Against 911 Call Centers Highlight Need for New System

There have been 184 cyber attacks on public safety agencies and local governments since 2016, and 42 of those attacks targeted 911 call centers

Who’s to Blame if a Security Breach Affects Your Organization?

If a security breach affects your organization, your main focus may be to solve the problem as quickly as you can, not point the finger in blame. But your customers want to know why it happened and who was responsible, even if the breach occurred because of their own lax security measures (e.g., sharing passwords or opening suspicious emails). In fact, a recent survey found that 70 percent of consumers expect businesses to take responsibility in the event of a data breach. But who within your organization should take the heat?

The CEO

If an organization doesn’t budget enough for security solutions, the fault will likely be placed on whoever makes the financial decisions, stemming from the CEO. In fact, 29 percent of IT decision-makers who took part in a recent VMware survey thought that the CEO should be held responsible in the event of a large-scale data breach.

The CISO

If a data breach occurs even after your company adequately budgets for cyber security solutions, 21 percent of IT security professionals surveyed would still hold your CISO accountable in the event of a data breach.

IT Personnel

According to a 2014 report, 95 percent of cyber security incidents are due to human error. That’s why personnel who manage IT security on a regular basis are easy targets for blame.

Other Employees

While accountability may start with the CEO and board of directors, everyone in your organization should take responsibility for cyber security. Even if you have the most modern cyber security technology, its return on investment will be nonexistent without full employee participation

Increase in Attacks Against 911 Call Centers Highlight Need for New System

There have been 184 cyber attacks on public safety agencies and local governments since 2016, and 42 of those attacks targeted 911 call centers, according to cyber security firm SecuLore Solutions.

Over half of the attacks involved ransomware, in which hackers used a virus to control the emergency systems and hold them hostage for payment. Most of the remaining attacks were denial-of-service attacks, which involved a flood of fake calls that prevented call centers from addressing valid emergency calls.

Due to the vulnerabilities in the current 911 system and the fact that it doesn’t address the ways people communicate in the modern world—such as through texts—the emergency response industry is encouraging state and local governments to adopt a system called Next Generation 911.

The Next Generation 911 system will have advanced security and be able to seamlessly move incoming calls to other centers when needed. The new system also gives callers the choice of calling from a phone line or sending data through approved telecommunications carriers and internet service providers.

Next Generation 911 is expensive, however, and governments have been slow to adopt it. Plus, its increased connectivity also opens new potential means of attack, according to industry experts. Sophisticated defense systems run by in-house cyber security teams will be vital as the emergency response industry adopts any new technology.

Acronyms All Businesses Need to Know

Newsletter Provided by: Hierl's Property & Casualty Experts

Download the Newsletter


Meeting cybersecurity risks head-on: A guide to breach preparedness

How would you manage a data breach? No company is immune to cyberattacks and data breaches. Read on to learn how you can prepare your business.


Gauging a company’s true data breach risk from the outside is a difficult endeavor for insurers, with challenges both technical and informational. But even less attention has been paid to how companies would manage a breach if it happened, which has an enormous impact on the toll of the final damage.

See also: Analyze Your Risks with Hierl's Cyber Security Advisors

No organization is immune to breach. If the National Security Agency can lose data, anyone can lose data, yet the scope of the current issue is still astounding.

According to another insurance company's 2017 cyber readiness report, 72% of large U.S. businesses — nearly three out of four — and 68% of small- and mid-sized businesses — about seven in ten — reported cyber incidents in the previous year. Among these, close to half (47%) experienced two or more cyber incidents during that same time.

The largest breaches, affecting big-name companies like Equifax, Target, Home Depot and many others, drew substantial headlines because of the huge number of identities involved. But almost every business holds some sensitive information, either regarding its customers or its own intellectual property, finances or employees. In fact, smaller organizations often lack the internal resources to dedicate towards preparedness, making them very attractive targets for hackers.

Assessing the threats to your business

The first challenge with measuring a company’s risk exposure relates to the industrywide problem of tying compliance and policy to actual security. A company may have checked all the right boxes on paper, but doing so guarantees little about their actual cyber risk position.

The second issue is that people often matter much more than technology.

The public conversation focuses on high-profile hacking events, but data breaches are even more likely to be the result of internal issues, including breakdowns in training, procedure or plain old mistakes.

The overwhelming majority of all cyber attacks are successfully executed with information stolen from employees who unwittingly give away their system ID and access credentials to hackers or provide a gateway via a malware link embedded in some form of communication.

One of the most important components of an effective data breach readiness program is mandatory and frequent training to remind employees about the importance of security awareness.

See also: Your Cyber Liability Policy & Handling Data Breaches Like A Pro

Education information security best practices can help arm a team against threats such as phishing, man-in-the-middle attacks, malware, and ransomware, substantially lowering the long-term risk.

An accurate understanding of a company’s sector-specific risks is another important point of departure in corporate cybersecurity. Healthcare employees, for instance, need to be especially on guard for EHR-related attacks and RDP server breaches, like the ones instigated by the SamSam virus (which took down Allscripts last month).

Other industries are more vulnerable to loopholes in common business apps; still, others are more frequently victims of point-of-sale malware or e-mail phishing scams. Once businesses understand where and how they are most likely to be targeted, they can begin providing training that takes into account the need for added vigilance in these specific areas.

The final challenge in correctly identifying breach risk involves understanding the extent to which recovery costs can vary. Discrepancies in cost depend not only on the severity of the breach, but also on how well the organization responds. Globally, the average cost to recover from a security breach is $158 per impacted individual, but that varies from of $60 to $400 per person.

While more companies than ever before are now either considering or have taken out some form of cyber insurance, this should not be considered an unloadable risk. Smart organizations are increasingly focusing on proactively identifying data breaches and preparing to efficiently react to them in advance of a data breach crisis.

Proper preparation means more education

The most devastating impacts of a data breach can only be avoided by coupling breach awareness and prevention efforts with readiness and response planning ahead of a cybersecurity incident.

Comprehensive breach readiness plans break down both pre-emptive and retrospective action steps by department: it’s sensible, for example, to task IT personnel with monitoring cloud connectivity and identifying network loopholes while entrusting financial staff with detecting suspicious activity along company bank and credit accounts.

Customer relations experts and account managers, on the other hand, are likely the best resources for overseeing client communications during and after a data breach, helping to re-establish trust and informing their consumer-facing workforce.

Here, inter-departmental communication is paramount: all workers should understand how and to whom they are to report possible breaches or scams, and when such breaches occur, the entire company should know what to expect employees in every department to do next.

Even for the most cyber-savvy corporations, however, internal resources alone are not enough these days. Outside resources are often critical to mitigating the threat of cyber attacks; Stop them once they start and restore company functions in a breach’s aftermath.

Establishing relationships and negotiating agreements with external subject matter experts is better done far in advance of an actual data breach. Contractual terms can be negotiated without the chaos and urgency of a crisis situation. The same is true for interfacing with law enforcement and regulatory agencies.

Knowing whom to contact and having an established communication chain can pay off when trying to execute an urgent data breach response.

See also: 5 Ways to Spot a Phishing Email

Both internally and externally, the human element of cybersecurity remains a business’s best defense across an ever-widening threat landscape. With the right planning and a rapid response team, companies should be able to withstand a breach with the least damage possible, limiting losses – and claims.

SOURCE: Thompson, J. (2 March 2018) "Meeting cybersecurity risks head-on: A guide to breach preparedness" (Web Blog Post). Retrieved from https://www.propertycasualty360.com/2018/03/02/meeting-cybersecurity-risks-head-on-a-guide-to-bre/


6 ways HR can help prevent a data breach

Employees are often an organization's first line of defense against cyberattacks. Continue reading to learn the 6 ways HR can play a critical role in preventing data breaches.


Employees are an organization's first line of defense against and response to cyberattacks—which have become widespread in recent years. HR, in particular, can play a critical role in protecting sensitive information and minimizing employer liability.

Data breaches can lead to enormous liability, said Danielle Vanderzanden, an attorney with Ogletree Deakins in Boston. Some losses are easy to calculate, such as time spent on help desk activities, investigations and legal defense. Other losses are harder to quantify, such as reputational damage to the business. But it's clear that the costs can be staggering: The average total organizational cost of a data breach in the United States is $7.35 million, according to a 2017 study.

See also: Analyze Your Risks with Hierl's Cyber Security Advisors

Whether a worker intentionally sold customer data, unintentionally left a laptop on a train or carelessly left boxes of medical records unattended in a high-traffic area of a hospital, employers can wind up paying millions of dollars in damages.

So what can HR do to mitigate these costs? In large part, data security is an issue for the technology department, but HR professionals can help ensure that effective programs are in place, Vanderzanden said at the 2018 Society for Human Resource Management Employment Law & Legislative Conference. Specifically, HR can lead the way by:

  1. Knowing who is hired. Protecting personally identifiable information (PII) starts with properly vetting job candidates who will have access to sensitive information: those being considered for HR, payroll and finance positions, to name a few.
  2. Accounting for equipment. During the onboarding process, employers should complete a checklist so that they have a record of all the equipment each employee receives. Then, at the time of separation, the checklist should be consulted to ensure that all equipment is returned and workers don't walk out of the building with sensitive information.
  3. Training employees to spot issues. Workers may not always know how to identify an issue—such as a phishing scam through which a cybercriminal sends an e-mail that looks like it came from someone in the company. An employee may quickly respond to the message and divulge personal information that can be used to access payroll and other information. Employees should be trained on how to identify scams and also should know what to look for in a legitimate company e-mail, such as a standard signature line, a photo of the sender and a company e-mail address.
  4. Encouraging workers to speak up. When a breach or attempted breach occurs, employees who handle PII must feel comfortable stepping up and notifying the appropriate staff. This is essential for resolving the situation, but also because employers must provide certain notices when information is compromised.
  5. Carefully crafting BYOD policies. Bring-your-own-device (BYOD) policies may turn into bring-your-own-breach policies in practice, Vanderzanden said. The more mobile the device, the easier it is for an unauthorized person to walk away with the device and any sensitive information that is stored on it. If employers are going to have a BYOD policy, they should have written policies about what will happen if the device is lost or stolen and what will happen upon termination of employment. Among other things, they should also have a procedure for remotely wiping data from the device.
  6. Building a culture of compliance. Representatives from different business functions—such as IT, HR, security and finance—should work together to ensure that data security measures are ingrained in the organization's practices. Moreover, compliance and cooperation must start in the C-suite. HR can play a role in influencing senior management about the importance of having everyone in the organization follow security procedures.

Check State Laws

HR professionals should note that state laws are the primary source of potential identity-theft liability for employers. "State laws in this area are a patchwork collection and are neither uniform nor completely consistent," said Patrick Fowler, an attorney with Snell & Wilmer in Phoenix, in an interview with SHRM Online. California and Massachusetts have been more active than other states in passing data privacy legislation, but virtually all of the states have data breach notification laws at this point, he noted. Employers should make sure they know what is required under relevant state laws.

See also: Your Cyber Liability Policy & Handling Data Breaches Like A Pro

SOURCE: Nagele-Piazza, L. (14 March 2018) "6 ways HR can help prevent a data breach" (Web Blog Post). Retrieved from https://www.shrm.org/resourcesandtools/legal-and-compliance/employment-law/pages/6-ways-hr-can-help-prevent-a-data-breach.aspx


Your Cyber Liability Policy & Handling Data Breaches Like A Pro

In the digital age we live in, it has never been more critical to have a focused, working cyber liability policy. A data breach for a company is a bad dream but having to tell their customers they’ve undergone a data breach is a nightmare. For this month’s CenterStage, Hierl’s wonderful VP of Property & Casualty, Cathleen (Cathy) Christensen, has brought you some helpful, informative advice on securing a reliable cyber liability policy, enabling you to handle data breaches like a pro.

See also: 6 ways HR can help prevent a data breach

About Cathleen

Cathleen Christensen is the current Vice President, Property & Casualty of Hierl Insurance, Inc. Cathy’s expertise lends itself well to helping local businesses with their commercial insurance and risk management needs. She attended Alverno College in Milwaukee, WI before her career in insurance. In her 25 years of experience in the industry, she has worked on the insurance company side as an underwriting manager, as well as on the agency side as an account executive. Cathy has also been an entrepreneur herself, which enables her to understand the demands businesses face today.

So, let’s get into it: how do you choose a successful cyber liability policy and avoid business fatal data breaches?

The 3 Big Issues of a Data Breach & How a Cyber Liability Policy Comes In Handy

When it comes to cyber liability, three issues plague business. First, there are 47 states in the United States that have separate data breach laws that regulate what business owners must do when a data breach has occurred. Companies that stretch across more than one state have the complication of knowing and going by these laws. Second, there is the public relation issue – attempting to share you’ve had a data breach with customers in a way that won’t completely destroy your company. The leak of private, customer information can lead to lawsuits, too, which leads us to what’s next. Finally, there is the price tag:

“In 2016, the average cost for each lost or stolen record containing sensitive and confidential information is a hundred and forty-one dollars. This is down ten percent from the previous year, but still incredibly significant.” -Ponemon Data Breach Study

When all three of these issues become a certain reality for your business, you are past the point of being able to protect yourself. You need third-party cyber liability experts to step in and help you handle the laws, the PR, and the price tag. Cyber liability insurance policies are tailored to meet your company’s specific needs and as part of their data breach coverage can include forensic, legal and public relations support. It is important to remember that in today’s environment, no company is immune to the possibility of being a victim of cyber crime. However, there are some things you can do to lower your risk of a data breach.

  1. Employee Corporate Security Policy Education. Did you know it’s more common for an employee to unintentionally leak information than it is to be hacked? This is why it’s crucial to educate your employees on cyber risks, but also to have a clear, focused Corporate Security Policy in place.
  2. Encrypt ALL Confidential Data. Even the simplest of things should be encrypted. Plus, don’t use the same password on EVERYTHING. Have different passwords or codes for as many things as possible. That way, if someone were to hack you, then they can’t unlock everything. If you’re someone who forgets your passwords easily, have a notebook or binder where your company information resides and keep it under lock and key without expressed permission to use.
  3. Backup, Backup, Backup. Let’s say your company’s entire computer system is shut down by a virus and you lose everything. That’s a frightening scenario, right? So, avoid it by having backups and many of them. A general rule of thumb is having three solid backup methods. Perhaps you have a couple online storages where you keep files and an external hard drive. It doesn’t matter – just make sure you have it backed up!

There are also a couple of relevant, key issues Cathy wanted to update employers on:

  • Ransomware & Social Engineering Fraud. The biggest scams of today are these two cyber crimes. Both work to steal company information by acting as perfectly normal requests, surveys or even Facebook personas. Employees fall into their traps, giving out company information freely, not realizing it was under false pretenses. Never, ever give out company information – even on something that seems like an official document – without consulting your manager or boss, first.
  • Federal Communications Commission (FCC). The FCC provides a tool for small businesses that can create and save a custom cyber security plan for your company, choosing from a menu of expert advice to address your specific business needs and concerns. It can be found at www.fcc.gov/cyberplanner.

See also: Analyze Your Risks with Hierl’s Cyber Security Advisors

Don’t sit back and wait for cyber doomsday. Take your policy into your own hands, set company standards, and consider cyber liability insurance to help protect your business from the cost of a cyber attack.

At Hierl, Property & Casualty coverage is a partnership; not a product. We look at your entire organization, listen to you, assess your risk, develop a complete strategy and deliver a full-service solution. Our team of experts start by looking at your risk and helping you to gain Insight™ into what is in store for tomorrow. If you have any questions or are interested in knowing if Hierl’s cyber liability solutions is a good fit for you, please contact Cathy at 920.921.5921.