HR security may be improving, according to Verizon’s “2019 Data Breach Investigations Report.” It’s a positive development for HR security, but it is a finding without a clear explanation.
Specifically, Verizon found that fewer HR personnel are falling victim to phishing and pretexting attacks. This is correlated with “W-2 scams almost disappearing from our dataset,” the report stated.
For the past several years, the IRS has issued warnings of W-2 phishing scams, which often target HR employees. W-2 information is coveted by hackers. It can provide a means to file fraudulent tax returns. In 2018, the IRS called the W-2 scam “one of the most dangerous phishing emails in the tax community.”
In its data set, Verizon has seen a decline in W-2 scams. Its data showed 51 W-2 scam attacks in 2016, 70 in 2017, but only 14 last year, on which the 2019 report is based, according to Dave Hylender, a senior risk analyst at Verizon.
Dave Hylender Senior risk analyst, Verizon
“We are not saying that W-2 attacks have ended, but we are saying that they have drastically decreased in our data set,” Hylender said in an email. “This is a somewhat puzzling finding.”
They know from their data, and what they see on the news, “that these attacks are often successful and lucrative for the criminal,” Hylender said.
Verizon based its overall report finding on an analysis of 41,686 security incidents. Of that number, 2,013 were confirmed data breaches. A confirmed security incident, under Verizon’s definition, is defined as “a loss of confidentiality, integrity or availability.” A confirmed breach means data was disclosed to an unauthorized party. The report covers the full range of security, not just HR security incidents.
HR security may be improving
There are several possibilities for the decline in W-2 incidents, including media coverage that has made HR employees more aware of the problem. It may also be due to increased HR security training and better policies, Hylender said.
Over the past few years, Hylender said they have seen a good number of breaches targeting HR employees. A common scenario is a phishing attack followed by a “social pretexting email to a member of the HR group which purports to be from the person who was phished,” he said.
The attacker usually explains that they are trying to finish a last-minute audit and are in need of employment and tax details, according to Hylender.
But getting a real-time look at how HR is being impacted by data theft attempts is difficult. Many states do not publish data breach reports submitted by affected organizations.
Plus, phishing is often cited as a problem, but it’s not the only one.
In April, the Port of Seattle, for instance, said that an externally hosted website it uses to submit workers compensation claims and administer a driver safety program was found to have a security vulnerability. Names, social security numbers, driver’s license numbers of employees and contractors “may have been discoverable to unauthorized users of the website.”