Multiple organizations at MIT have been targeted by a series of “spear-phishing” campaigns. The IRS has issued a bulletin indicating that there has been a recent uptick in W-2 scam attacks.
Ordinary phishing campaigns typically cast a wide net and harvest things like login credentials and passwords. Spear-phishing targets individuals with the aim of getting confidential data (e.g., tax documents) or money (through funds transfers). The “spear-phisher” tries to dupe you into trusting them by appearing to know about you or your situation. They do this by accessing publicly available information (your websites, LinkedIn profile, and/or résumé on a job site).
Here’s an example of the latest W-2 spear phishing campaign: John Doe handles financial transactions for his company. He receives an email that looks like it’s from his director, Jane Roe. Jane asks him to wire $50,000 to a bank account number and for John to send Jane a copy of a certain employee’s W-2 form. The email refers to John by name, maybe even by a nickname, but the email does not contain Jane’s normal email signature. When John replies, the email goes to the scammer instead of Jane.
First, if you are being asked to transfer a large amount of money or provide private personal data, especially tax-related data, ask the requestor to confirm the inquiry in person - or call them directly.
Second, check the email address that appears when you attempt to reply to the email. If you don’t recognize it, think twice.
Remember, always be vigilant when responding to requests for private information!