BeginnerSocial Engineering Defence

Protect W-2 forms and employee personal data from email-based requests

W-2 BEC attacks specifically target HR and payroll staff with emails impersonating executives requesting "a copy of all employee W-2 forms." The forms contain every employee's Social Security number and income data — sufficient to file fraudulent tax returns on their behalf. These attacks peak in January–April before the US tax season. The defence: establish a policy that W-2 data, payroll records, and employee SSNs are never transmitted via email regardless of who requests them. Any such request must be fulfilled through an internal HR system with audit logging, never as an email attachment.

Tags

W-2BECpayrollSSNHR security

More in Social Engineering Defence

All guides
beginnerfeatured

Verify wire transfer requests by calling a pre-registered number — never one from the email

Business Email Compromise (BEC) caused more than $3 billion in losses in 2022 alone. Every BEC attack involving a wire transfer succeeded because the victim called back a phone number from the fraudulent email, or did not call back at all. The defence is simple and absolute: any wire transfer request arriving via email must be verified by calling the requestor at a number already in your company directory or phonebook — not a number provided in the email. FACC lost €50 million because no one picked up the phone. Ubiquiti lost $46.7 million for the same reason. A 60-second phone call to a known number prevents these attacks entirely.

See: Ubiquiti BEC FraudSocial Engineering Defence
beginner

Require out-of-band identity verification before any MFA reset or privilege escalation

The MGM Resorts breach and the Caesars Entertainment breach both began the same way: a caller to the IT helpdesk provided an employee's name (found on LinkedIn) and convinced the operator to reset MFA credentials over a phone call. With MFA reset, the attacker had full account access. Any request to reset MFA, change recovery methods, or grant elevated privileges must require verification through a separate, independent channel — a video call where the employee displays their physical badge, a manager confirmation via internal ticketing, or a physical visit to the help desk. The single phone call channel is broken by design.

See: MGM ResortsSocial Engineering Defence
beginner

Train employees that urgency plus unusual channel is a red flag, not a reason to act faster

Virtually every social engineering attack combines two elements: urgency ("this is time-sensitive, act now") and an unusual communication channel ("my CEO emailed me on WhatsApp"). The urgency is designed to short-circuit the instinct to pause and verify. The unusual channel is used because the legitimate channel would fail verification checks. Train employees to treat these two signals as reasons to slow down and verify, not to act faster. The LastPass employee who received AI-cloned audio of their CEO's voice via WhatsApp correctly identified it as suspicious because it came through an unofficial channel with unusual urgency — and reported it rather than complying.

See: LastPass Deepfake AudioSocial Engineering Defence