W-2 Whaling Epidemic Hits Sprouts Grocery

Ready the harpoons: A freshly successful whaling scam, this time targeting the grocery store chain known as Sprouts Farmers Markets, has emerged.

The FBI and IRS reportedly are investigating a phishing scam at Sprouts after a payroll department employee at the company’s Arizona headquarters responded to an email thought to be from a company senior executive. That email requested 2015 W-2 statements of all Sprouts workers.

The employee complied with the request, according to sources, but the company quickly realized that the email was not legitimate and contacted federal authorities.

The ramifications are not insignificant: Sprouts employs more than 21,000 people at more than 200 stores across the country, according to its website. And the forms have all of the details that cyber-criminals need to mount ID theft efforts—and follow-on phishing attacks.

According to Jonathan Sander, vice president at Lieberman Software, the situation shows that there are important protective organizational changes that should be made.

“The question to ask about the Sprouts data breach is why that payroll employee had on-demand access to so much sensitive information?” he said via email. “If a payroll employee wants one W-2, then maybe you just let them have it. If that same employee wants all of them all at once, then there should be something that triggers to say this is a different sort of request that deserves more scrutiny.”

He added when systems are asked to give people extraordinary privilege to access sensitive information, those systems should be made smart enough to put a check on that power. "If the system had stopped this employee and made them get an approval from some appropriate authority to lay hands on every single W-2 all at once, then maybe we’d be reading about a security success not yet another data breach,” he added.  

The incident shows that the “whaling" epidemic—where a fraudster emails a senior member of the finance team pretending to be the CEO, usually using domain spoofing—shows no sign of waning. Typically whaling is done as a bid to con the employee into making a large wire transfer out of the company, but as this incident shows, there are increasingly other targets, like employee W-2 forms.

This attack is the latest in a string of tax-season heists that involve phishing and whaling aimed at conning employees into giving out tax information." Last week, news emerged that Care.com became a victim—and before that, Snapchat, ERM and Seagate admitted to falling for the ruse.

“In general, whenever a request is received to send sensitive personal information outside of regular business processes, it is always a good idea to validate the request through a separate channel such as via telephone,” counseled Craig Young, computer security researcher at Tripwire, via email. “Email based scams, and in particular spoofed wire transfer requests, have become a huge problem for businesses around the world. Having employees trained at recognizing fraudulent email is an important step to combating scams.”

He added that use of cryptographically signed emails and securely configured mail services with advanced spam filters, sender policy framework (SPF), and DomainKeys Identified Mail (DKIM) configurations can also greatly reduce the likelihood of a successful scamming.

Photo © Ken Wolter/Shutterstock.com

What’s Hot on Infosecurity Magazine?