Several major companies were recently breached by phishing scams that exposed significant amounts of employee information, including Sprouts Farmers Market, Seagate Technology, and Ryman Hospitality Properties, the parent company of the Grand Ole Opry.
Ryman Hospitality first learned of the breach on March 23, Billboard reports.
“An employee received an email that appeared to have been sent by an officer of the company asking for employee W-2 information,” Ryman Hospitality said in a statement. “In reality, this email was sent from an outside party using a common fraud tactic known as email spoofing/phishing and, as a consequence, personal employee information was disclosed externally.
“We believe that any person who received a W-2 from us in 2015 may be impacted, but this does not include those who provided a Form 1099,” the company added.
In a similar breach, Sprouts Farmers Market acknowledged that an employee had responded to an email claiming to come from a senior executive that requested a copy of all 21,000 Sprouts employees’ 2015 W-2 statements. The employee provided the data without realizing it was a scam.
“Sprouts is working with the FBI and the IRS to investigate this crime and to determine the best ways to protect team member tax information,” company spokeswoman Donna Egan told SC Magazine. “Anyone who received a W-2 form from Sprouts for 2015 may be impacted.”
And earlier this month, several thousand Seagate Technology employees’ W-2 forms were exposed by a similar phishing scam, according to KrebsOnSecurity.
“On March 1, Seagate Technology learned that the 2015 W-2 tax form information for current and former U.S.-based employees was sent to an unauthorized third party in response to the phishing email scam,” Seagate spokesman Eric DeRitis said. “The information was sent by an employee who believed the phishing email was a legitimate internal company request.”
Fatih Orhan, director of technology at Comodo, told eSecurity Planet by email that every company needs to be aware that it will inevitably be hit by phishing attacks. “The landscape of phishing threats is vast, and many companies have a false sense of being secure with products or services that simply don’t work,” he said. “Detection is not a form of protection. Phishing attacks are becoming more targeted as well, casting a wide net that looks at a specific region or sector of a company.”
“When in doubt, contact the company or sender directly before clicking,” Orhan added. “It’s a ‘think before you click’ thought process.”
And STEALTHbits Technologies marketing program manager Nathan Sorrentino said by email that it’s crucial to understand that no type of anti-virus can protect against attacks like these. “Until organizations become more proactive in training their employees to look for the signs of this now all-too-common phishing scam, the attacks will continue into the foreseeable future,” he said.