It’s early in the year. Famco’s employees are looking to get their taxes done. Anticipated refunds will ease the pain from holiday excess. The small manufacturer’s CFO sighs in relief that the rush to complete the corporate W-2s is done. Down the hall, Famco’s controller opens an email from his CEO. Nothing out of the ordinary in how it looks, but its message is a bit odd. The CEO says she’s working on a significant project for tax purposes and needs all employee 2016 W-2s pronto in .pdf form. She’s a hard driver. The controller fears wasting her time if he raises questions, so he dutifully rolls all the W-2’s into one attachment and responds.

No questions asked–just obedience–even though he knows the CEO never works hands-on at this level. But, if that’s what she wants…

The next week, one of Famco’s sales managers stops by the CFO’s door complaining that he couldn’t file his taxes electronically. The IRS claimed to already have his return on file. He expects a substantial refund and is frustrated. The next day, Famco’s logistics coordinator emails the CFO asking about problems with the IRS refusing to accept tax returns.

Curious now, the CFO visits the IRS website. He sees an IRS Notice about false tax returns being filed by criminal elements claiming taxpayer refunds. The ruse is discovered when the taxpayer’s efforts to file electronically are rejected. The Notice warns this is now a common internet scam, “phishing”, where the scammer duplicates a corporate email style and uses what looks like a CEO’s email address as the originating email to a CFO or controller seeking employee W-2s. But the key to the scam is that the email’s return domain is almost imperceptibly varied. Instead of “CEO@famcorp.com”, it might be CEO@famcoorp.com, “CEO@famcorp.rus” or some other slight, but significant, shift.

Famco’s CFO immediately calls his staff together. The controller mentions the CEO’s email and how he timely and duly responded, no questions asked. Copies of the relevant emails are produced. Indeed, the controller’s response with the W-2s was routed not to the CEO, but rather to the internet’s dark underbelly, putting all employee personal identifying information, “PII” (e.g., here: names, addresses, social security numbers and earnings), instantly in scammers’ hands. Sickened, the CFO takes this information to the CEO.

Famco has a serious, immediate problem, and the CEO is very concerned. Suddenly the entire cybersecurity of the company is in doubt. The company’s counsel must be involved. The Tech Support team verifies there was no breach of their firewalls or security in software or hardware. Costly and embarrassing employee notifications must be issued. But how? When?
Federal or state mandated public notification may be necessary. Risk scenarios have to be determined. Do law enforcement authorities need notification? Is that confidential? Board or even shareholder notification requirements may apply. Identity protection needs to be purchased for impacted people at the company’s expense. What about cyber-risk insurance coverage? Intercepted Famco employee refunds need recompense.

The list goes on. Even for a small company such an event can crush profits or worse, with remediation costs running deep into the thousands, tens of thousands of dollars or even more. Larger companies can expect remediation costs running into the millions of dollars as the number of those impacted skyrockets. Bad publicity, loss of goodwill and reputational damage just pile it on.

Some corporate leaders may scoff, “that will never happen to us!” In reality, the question is not “if”, but “when”. Thousands of upstanding companies, large and small, around the country were scammed like this in the past two years alone. Walter | Haverfield’s Cybersecurity Team received a number of client calls here as tax season unfolded last year. No doubt new scams are developing for 2017.

But this sort of phishing scam is avoidable if the company creates an atmosphere of 360-degree verification on trade secret, intellectual property, PII, and other confidential information. Had the controller simply verified the email request with the CFO or even the CEO, the entire disaster would have been avoided. A priority must be stressed within the company of verifying questionable or even routine-looking requests for such information up the chain of responsibility. Company policies need to be in place – with employees trained — requiring verification either in person, by phone, or by separate (not “reply”) email before response to such emails, regardless of the person purportedly seeking the information.

Although Famco is a fictitious name here, these incidents are as real as real can be. The time to “respond” to an incident is before the incident by putting the company’s response outline in place in advance of a breach. Only the scammer knows when that will happen. Experienced cybersecurity attorneys can assist in developing such policies and even more importantly can help create an Incident Response Plan or Cyber Incident Management Plan. If disaster strikes your company—whether or not you had adequate plans in place–make sure you have the right legal resources to help assist in getting through these problems efficiently, effectively and economically.

Craig Marvinney can be reached at 216-928-2889 or cmarvinney@walterhav.com.