March 16, 2016

Payday lending firm Moneytree is the latest company to alert current and former employees that their tax data — including Social Security numbers, salary and address information — was accidentally handed over directly to scam artists.

moneytreeSeattle-based Moneytree sent an email to employees on March 4 stating that “one of our team members fell victim to a phishing scam and revealed payroll information to an external source.”

“Moneytree was apparently targeted by a scam in which the scammer impersonated me and asked for an emailed copy of certain information about the Company’s payroll including Team Member names, home addresses, social security numbers, birthdates and W2 information,” Moneytree co-founder Dennis Bassford wrote to employees.

The message continued:

“Unfortunately, this request was not recognized as a scam, and the information about current and former Team Members who worked in the US at Moneytree in 2015 or were hired in early 2016 was disclosed. The good news is that our servers and security systems were not breached, and our millions of customer records were not affected. The bad news is that our Team Members’ information has been compromised.”

A woman who answered a Moneytree phone number listed in the email confirmed the veracity of the co-founder’s message to employees, but would not say how many employees were notified. According to the company’s profile on Yellowpages.com, Moneytree Inc. maintains a staff of more than 1,200 employees. The company offers check cashing, payday loan, money order, wire transfer, mortgage, lending, prepaid gift cards, and copying and fax services.

Moneytree joins a growing list of companies disclosing to employees that they were duped by W2 phishing scams, which this author first warned about in mid-February.  Earlier this month, data storage giant Seagate acknowledged that a similar phishing scam had compromised the tax and personal data on thousands of current and past employees.

I’m working on a separate piece that examines the breadth of damage done this year by W2 phishing schemes. Just based on the number of emails I’ve been forwarded from readers who say they were similarly notified by current or former employers, I’d estimate there are hundreds — if not thousands — of companies that fell for these phishing scams and exposed their employees to all manner of identity theft.

W2 information is highly prized by fraudsters involved in tax refund fraud, a multi-billion dollar problem in which thieves claim a large refund in the victim’s name, and ask for the funds to be electronically deposited into an account the crooks control.

Tax refund fraud victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS. To learn more about tax refund scams and how best to avoid becoming the next victim, check out this story.

For better or worse, most companies that have notified employees about a W2 phish this year are offering employees the predictable free credit monitoring, which is of course useless to prevent tax fraud and many other types of identity theft. But in a refreshing departure from that tired playbook, Moneytree says it will be giving employees an extra $50 in their next paycheck to cover the initial cost of placing a credit freeze (for more information on the different between credit monitoring and a freeze and why a freeze might be a better idea, check out Credit Monitoring vs. Freeze and How I Learned to Stop Worrying and Embrace the Security Freeze).

“When something like this happens, the right thing to do is to disclose what you know as soon as possible, take care of the people affected, and learn from what went wrong,” Bassford’s email concluded. “To make good on that last point, we will be ramping up our information security efforts company-wide, because we never want to have to write an email like this to you again.”


38 thoughts on “Thieves Phish Moneytree Employee Tax Data

  1. Joe

    I don’t understand why since this happens so much now that employees are not told to double check with the person by phone or up the chain of command if the email is in fact genuine or a scam when it involves peoples personal data. This makes no sense. If I received and email wanting peoples personal data you better be damn sure I am gonna check with the person who supossedly sent the email to make sure its really them that sent it. You don’t fool around with peoples personal data.

    1. Sec Guy

      This happens because people don’t believe it will happen to them. Seen it time and again. The other thing I see is even after these scams and others come in and we’ve seen it in our company that management believes we’re secure. There is a false sense of security or head in sand approach to responding to this because we were able to identify it or the staffer identified it. Making this assumption that we’re secure and that everyone will behave in the same way is dangerous. The attacks are getting much quicker and becoming much more dangerous. I don’t see that our security (and I work in security) can keep up at all, generally because of a lack of support from the business and senior leadership in recognizing the risk. Mentality is people need to have as few hurdles as possible in order to do their job and security gets in the way.

      1. TGuerrant

        There’s a third factor at work, I think: Goal orientation.

        If we’re set a challenge and see that we can meet it, we’re likely to shift into Succeed! mode and meet that challenge. Parents train that into us early and teachers do a great job of broadening the response by tossing out questions for students to answer. Who answers the question or completes a task is smart, right? Success!

        We meet challenges (demands) all day long at work and at home. “Honey, close the garage door.” Was that really my spouse’s voice? Should the garage door really be left open? Is the dog about to get out? Is a raccoon about to get in? Is the kid lying with head directly under door in one of those thin-the-herd maneuvers kids specialize in? How many questions should you pause to ask yourself and answer before closing the garage door?

        I think phishers benefit from triggering a meet-the-challenge response in their targets. The alleged boss is in dire need and is depending on the target to help. Can the target come through? YES! Must succeed!

        Oh, wait….

        1. Alaham

          Absolutely. This is the entire basis of Social Engineering, triggering an action based on an emotional response or perceived responsibility to meet a challenge or request. My organization has received several of these emails in the last few months, the only difference I can perceive as to why we have not fallen victim to them is early notification of the threat to leadership before it happens and continual information sharing and education with staff. Providing staff with the tools to help identify phishing emails as well as an easy avenue to report suspicious items has greatly increased the chance that they will call someone (Infosec) to verify prior to taking matters into their own hands.

    2. Andrew

      I agree completely. Companies need to do a better job training their employees who have access to sensitive personal information. It might seem like common sense to verify this type of request before sending the data, but apparently not.

      1. TGuerrant

        Generally phishers add some kind of imaginary time crunch. The data’s needed immediately for an important reason and only the target can help. Wanting to be responsive and responsible, the target complies.

        The under-performing, careless employee is actually less likely to get phished than the high-performing, dutiful employee. In the time it takes an under-performer to devise a shirk, the high-performer has delivered the data.

        One helpful device is to giving employees a brief checklist of, say, two or three things the head of the organization expects them to complete before handing over data even if one day on the phone or in email that authority figure seems to be commanding otherwise. Tell the employees to expect drills and those who fail to complete the checklist before complying with the authority figure’s demands will get a result they do not like or have something they do like withheld.

        Most people try to do the right thing most of the time. Phishers exploit that by convincing people that the right thing is to give them data.

      2. Rick

        Maybe if we encrypted more email internally such things would fail. Sure you can have the PII, but you won’t be able to read it unless you are who you say you are.

        And it would be easy to set up encryption for internal emails compared to external emails.

    3. Regret

      Unfortunately, these positions are not filled with the most highly skilled people… they are generally clerical functions and this work is pushed down in the organization as far as possible. Seems like a better solution inside an organization would be to lock sensitive employee data in a database with rules so that it would be impossible for a functionary to generate output that contained sensitive info.

      I would be interested in Brian’s and commenters’ thoughts about whether this is an argument for or against outsourcing payroll and similar functions to a third party who may be less susceptible to phishing, but who may be more susceptible to a hack (they would be a big target).

      1. Jos

        Especially forbiding massive data dumps or extracts (like export all records to CSV). Once you allow that, you loose control.

      2. The Tech Bear

        I don’t think payroll services are any more secure as they have the same level of corporate bureaucracy as all major companies. I work for one, and I, too, received one of these e-mails. It wasn’t as severe, though…they only received names, addresses, and salary information but no SSN’s of our employees, but our customers’ data wasn’t affected. I’m sure with a little searching they can find SSN’s for each person that has a digital footprint, but they’ll have to at least do a little work. I’m not worried, I’m FROZEN, and I have a government PIN (for what it’s worth) for tax filings.

    4. JW

      I completely agree. I am so tired of people falling for these scams and just in general being reckless with the information they send out!

    5. DavidD

      We should expect to see phishing and other social engineering related attacks increase, maybe by orders of magnitude. That is how you circumvent all manners of preventive technical controls. And I don’t think we should get too smug about “stupid users” who do as instructed in emails. Some of these can be made to appear quite authentic if the criminal has done enough research into the target company. I saw a recent example where the phisher had adopted the informal tone of the firm’s corporate culture and used language in the email that made it appear that he had genuine familiarity with some staff members. It’s best to conduct regular phishing tests to see how employees respond, and use these to reinforce the phishing awareness training that everyone should be required to attend.

      1. Chris

        This is exactly right. The fact is that this case isn’t the Nigerian prince scammer who can be spotted a mile away. These are sophisticated attacks and sophisticated attackers. The moment you think only “stupid people” fall for such things will be the moment you find yourself falling victim to it.

  2. MC

    I’m curious whether the firms victimized by these attacks had done any kind of employee training on resisting phishing or not. There are plenty of training options available but I haven’t see any studies on how effective these programs are in reducing successful attacks.

  3. Nobby

    Ah, but would you just hit reply? Or go to the phone, or pull the address from your book. And the fact is, the guy in the cube next to you got the same email. What will he do?

  4. Matt

    Wouldn’t it be easier to have the feds simply provide a public site with all of our information on it? Then we could get on with actually protecting ourselves in an actually useful manner.

    You cannot tell me all of our data isn’t protected by nothing more than ‘security through obscurity’ right now. Anyone who really wants our supposedly personal information can get it.

    It feels somehow wrong to actually blame the targeted companies, when it’s really just human nature that no amount of training and penalties is capable of mitigating.

    1. Matt

      That’s a lot of ‘actually’s. I really shouldn’t comment when hungry.

    2. NotMe

      Yup, it is actually called the the IRS and for Govt’ folks it’s actually the OPM site. Sorry, could not resist…….

      1. NorMe

        That’s funny! But, don’t be surprised to find a dark sedan with tinted windows outside your home this evening…

        1. NotMe

          No worries, that guy has been there for a week already! I think his name is Dave from the government , and he is here to help me.

  5. Jon Marcus

    Most people don’t know these schemes are happening so often. That’s at least one reason why Joe/Jane HR Person doesn’t question the CEO.

    It also probably depends somewhat on corporate culture. In a highly stratified business, where underlings are expected to jump when the boss says so, no one’s going to put their neck on the line by hassling the CEO.

    I do applaud the $50 towards a credit freeze. I hope more companies will do follow suit. If I were a victim of this type of fraud, I’d insist that the company responsible do so.

  6. Bart

    Isn’t this one of those extortionist payday lenders that charges as much as 400% interest?

    1. petepall

      While I’m sure that is true, what of it? I am against these payday lenders as well, but that’s not the point here.

      1. Will

        I thought of that, too.
        It is not right that their information got stolen. They do, however, make a living charging the poorest people extortionate rates and are not upfront about the fact. Somebody needs to implement the owner’s idea of “business”. It would however, be more correctly “karmic” if it were data brokers, sleazy slimy marketers whose information was stolen. That would be proper just desserts. They whore our information, someone else whored theirs.

  7. Scott C

    There is another level of security lapse I see in these stories: sending personal information via email. Even if it is internal company email, its still a bad idea.

  8. frank

    Personal and payroll info should be contained in a walled off system and should not be “extractable” to csv files and the like. Access should be very limited to payroll and personnel staff who NEED to work with it. It should NEVER be sent over email.

    Thinking that you can consistently and persistently keep ALL staff trained to resist phishing expeditions is foolish. Systems must be designed from the outset to make this kind of activity impossible.

    1. DirtyPixel

      This statement sounds like you’ve never worked with a payroll system. No export means no paycheck processing. Your paycheck is printed and mailed. The business needs to send paper to the government. Your employer can’t offer many benefits. You can’t pursue business leads where your not the prime contractor. Unless you can find one system that does everything AND is used by everyone, you will always have data exported to csv files.

      1. ElectricLynn

        I wonder if it would not be better for direct scheduled disbursement through a secured private/public key with hash should not be instituted between enterprises and government organizations like SS & IRS. Much like the FDA requires all plasma donation centers to be on their secured biometric system for donors to verify identity prior to & after screening questions. I know this will not help the past, or the immediate future, but it seems that 2 or maybe 3 controls should be instituted. I just personally am in stasis for the investigations to complete and the perpetrators publicized.

  9. Not Shocked

    We are now living in a world where even the TV news reporters can not wait until they can verify the information is accurate. We have to be first in everything we do. If we are not at least a few seconds before our next competitor, then we are loosing the race. The seconds are even more important in the cyber security industry, since being fast can make a huge difference when your customers are being attacked. When the boss says NOW, you do what you can as fast as you can and don’t stop to question, “Should I even be doing this?” In just about everything we do, we are now rushing to get it done, even when time does not matter. We, as employees, are more productive now than ever in history, and we push harder and faster just to keep our jobs from going to someone younger and cheaper. Security slows us down, so in this rush rush rush environment, it is often only valued too late.

  10. John Clark

    I received an email from an individual claiming to be an HR recruiter a couple of weeks ago.  The individual said he had a job in my professional field and in my local region (he acquired my resume info from LinkedIn or Indeed).  The individual’s email domain matched the website that he provided a link to.  Doing a little quick search led me to believe that he is a scammer who has contacted others with the goal of getting a hold of victim’s social security number and date of birth.

    I did further research and found that the scammer has created more than twenty fake staffing companies with all the information on the web sites being identical but for the HR directors’ names.  

    As a warning to others I created a blogger web site with all the information I gathered. It seems the scammer likes using one particular hosting company in Brea California that has let him continue to operate even though I warned them.

    You can see the list here:
    http://fakestaffing.blogspot.com/

  11. IA Eng

    The people in the IT field are busy, but no necessarily busy enough to read the current trending security news and views. If these companies would block social media at work, the entire freaking planet would be more productive and work – at work.

    At this point, no matter what size the company or organization, if you have not heard about half of the bad things the internet has to offer, its time to check into a new line of business / occupation.

    1. Sec Guy

      The “We Sell Hammers” mentality is alive and well in many companies these days. The idea behind blocking various sites or categories of sites is well known along with other items that industry knows works in combating cyber crime. See Top 20 Critical Security Controls. The problem is there is very little appetite from leadership to support the implementation of those controls because of the perception that if they can’t see a funny cat video that their friend sent them or can’t implement a vendor provided solution that requires the use of Windows XP and access to the internet that the business can’t function.

      1. Mike

        I completely agree.

        What your describing though is a direct result of the fact that very few people care to learn anything about computers or technology itself. The majority of the human population across the planet wants it all to be someone else’s responsibility. Which is why so many people flock to the iPad and the smartphone while ditching real computers. It’s not being done out of convenience, it’s done to hand off security/responsibility to someone else. The only things anyone seems to be concerned with is having access to social media and those funny cat videos. Nothing else matters.

        Managers come from somewhere. They are made up of people that never cared to learn how these things work. But they sure know how to give orders.

  12. Jake7993

    I have a question for you guys. I just checked with my accountant, since he e-files for us, regarding a PIN. Disregarding his reply that they don’t recommend creating a PIN unless you’ve been subject to identity theft, I went to the IRS website to check it out. The website states that to e-file you must verify your identity with either a PIN or last year’s AGI (adjusted gross income), which can only be obtained from the prior year’s 1040.

    So my question is, if you need either of those items, how can a fraudster possibly e-file before the legitimate person? They won’t know the PIN and how would they get a person’s prior year AGI?

  13. null

    Los Angeles Times 2016-03-16

    “LAZ Parking workers’ personal data compromised in phishing attack”

  14. Jeff

    Brian,
    Will you please let me know when you have completed the article you described in this text:
    “I’m working on a separate piece that examines the breadth of damage done this year by W2 phishing schemes. Just based on the number of emails I’ve been forwarded from readers who say they were similarly notified by current or former employers, I’d estimate there are hundreds — if not thousands — of companies that fell for these phishing scams and exposed their employees to all manner of identity theft.”
    Thanks in advance!

Comments are closed.