Snapchat, Seagate among companies duped in tax-fraud scam

A major phishing scheme has tricked several major companies — among them, the messaging service Snapchat and disk-drive maker Seagate Technology — into relinquishing tax documents that exposed their workers’ incomes, addresses and Social Security numbers.

The scam, which involved fake emails purportedly sent by top company officials, convinced the companies involved to send out W-2 tax forms that are ideal for identity theft.

[...] measures, however, won’t necessarily shield unwitting victims from the headaches that typically follow identity theft.

“This mistake was caused by human error and lack of vigilance, and could have been prevented,” Seagate Chief Financial Officer Dave Morton wrote in a March 4 email to the company’s employees about the breach.

The schemes are so widespread that the IRS sent a March 1 notice alerting employers’ payroll departments of the spoofing emails.

Both Snapchat and Seagate notified federal authorities about the phishing attacks and are offering affected workers two years of free credit monitoring.

Phishing attacks commonly occur during holidays and other annual events, such as tax season, to prey upon people’s routines, said Fatih Orhan, director of technology at security firm Comodo.

The attacks are becoming increasingly effective because they rely on powers of persuasion instead of an attachment or link that might raise suspicion, said Ed Jennings, chief operating officer at email security company Mimecast.

Even without a red flag like that, payroll and personnel specialists should be trained well enough to question why a CEO needs to see individual worker W-2s in the first place.