The following are excerpts from Beth Waller‘s interview on April 6 with Brian Weigand and Mari White on WIQO’s Morning Show, heard throughout Southwest and Central Virginia. In early March, the IRS alerted Payroll and HR professionals about phishing schemes involving W-2 forms. Read Beth’s interview below and visit our Cybersecurity page for information on how we can assist companies before, during, and after a data breach.
Q. Brian: We are speaking with Beth Waller, an attorney specializing in cybersecurity with Woods Rogers PLC. We are talking about cyber security, especially with some things that have been in the news lately. Beth, welcome to the program.
A. Beth: Good morning.
Q. Brian: We have seen more and more phishing scams in the news lately. These have been going on for a while, and generally the emails have been made to look like they are from your bank, except, for some reason your bank doesn’t seem to have English as its first language. These are getting an awful lot more sophisticated aren’t they?
A. Beth: They are! We are seeing a lot more phishing schemes, which are emails that report to come from someone you know. It could be an email that looks like it is coming from the CEO of your company and he or she is requesting a copy of payroll or W2 information. When you hover over the email address it no longer gives you the indication that it is coming from an offsite location. It doesn’t look like an external source requesting information. It looks like an internal email.
Q. Brian: You’ve just mentioned one of the best defenses that you have, if you are careful with this. You take your cursor and hover over the link and instead of seeing your CEO’s email address, it’s somewhere in Bulgaria. That is the first tip that this is not legit but these people are figuring out every “jot and tiddle”.
A. Beth: That’s correct, it no longer looks like it’s an email from a Nigerian prince requesting information, where it is very easy for you to tell that this is some sort of nefarious email. These are emails that are made to look like they are coming from someone internal in your company. A lot of folks are impacted. A few weeks ago, the IRS sent out an alert to payroll and human resources professionals about this scheme because employees are falling prey to it on a national level, and on a local level. Local businesses made up of smart people are getting hit with these schemes and you just need to be aware when you get an email from someone to double check. Pick up the phone and call the sender and make sure it is actually a request for a W2.
Q. Brian: Let me ask one thing there before you talk about how to react when this happens to your company. What are the chances that the IRS is ever going to email you without having already corresponded with you on whatever topic they might be touching on.
A. Beth: I think that is a good point. If you are getting a request from the IRS you need to really think about it and see whether or not you had something in the mail. Does it look like an official missive? The requests that we are receiving now are really made to look like they are coming from someone internal to your business. For instance, it might look like it is coming from another attorney here at Woods Rogers requesting information and I may send it to them and when I send it, it is actually being sent to someone in a dark basement somewhere with really mal[icious] intent as to what they want to do with the information that is sent. Folks are using this information, especially the W2 information to file tax returns and get return information and take that money out of your pocket.
Q. Brian: This is what we have been seeing lately in the news. People sending off their return to the IRS in whatever fashion and the IRS responding, we already sent you your $3500.
A. Beth: That’s exactly right and that’s how folks are finding out that their information has been compromised. You really have to be alert to these issues, and that isn’t the only issue. You’ve seen in the news about MedStar, which is a Northern Virginia hospital system, was hit with ransomware. Ransomware is a slightly different type of cyber-attack where an employee clicks on a link and all of the sudden, everything gets locked up on your system and you get a message that says you need to send a certain amount of money in bitcoins or in cash in order to unlock your files. In the case of MedStar, it locked up an entire hospital system. Think of all of the electronic medical records that can get locked up, it can completely freeze a company. You have not only these phishing schemes going on but also these ransomware schemes where people are just getting hit, all over the place, all of the time.
Q. Brian: I believe this also happened to a hospital system in California recently. There isn’t a great deal of recourse, if you are a cyber security genius maybe you can figure out a way around a virus and the lockdowns and the encryption. Generally, especially for a hospital, you’ve got to have this information ASAP, businesses are just paying these people off.
A. Beth: Most of the time you hear from the cyber security experts that if they are requesting $500 to unlock your files, go ahead and pay the ransom. There’s no real way to get the key in order to unlock the encryption. So you need to figure out one, whether you want to go ahead and pay the ransom or two, maybe be prepared in advanced by having backup systems or backup files somewhere else. So if you do get hit, and your information gets locked up, you can access that information and you have a built in redundancy
Q. Mari: Are they so sophisticated that the company is at risk just by someone opening an email? Or do you still have to click on a link?
A. Beth: My understanding is you still have to click on the link, or you have to start downloading. Let’s say there is an attachment that you open up, then all of the sudden you are getting these messages with a skull and crossbones telling you that your information has been locked up.
Q. Brian: Let me ask a bit more about MedStar and defense against this, because as bad as it is to have your credit card information stolen at Target, all of your medical information is that much worse. MedStar, as I understand, they had known they had a problem for several years and it was a pretty straight forward patch to fix it but they just did not do it. They figured everything would be fine, how important is it to make sure that you’ve got the latest versions of all of the software running, that you’ve got firewalls, anti-virus, and etc.
A. Beth: It is extremely important that you have backup situations, and you’ve got protocols in place where this sort of breach won’t occur, but then there’s also the human element. You need to make sure you are training your employees to be vigilant. Especially if you think of the phishing scheme. Have training in place that says if you get a request for certain information, be it bank account information or tax information, pick up the phone and double check that the requester actually wants it. There should be various ways to make sure that you don’t get hit before it happens.
Q. Brian: We’ve talked about technical defenses and education for your personnel. Let’s say the worse happens, you’ve been hacked. What is the immediate reaction for a company? Maybe you have or you have not backed up the information with Carbonite and other servers like that. What are the first steps you want to take in the minutes after you discover this?
A. Beth: One, you want to make sure you address the breach immediately. If they are servers, try to take them offline. Immediately take action to make sure your information is protected, go on lock-down. Two, form a taskforce, make sure you have a group of people who are going to respond to the incident and go ahead and include your outside resources like your law firm, your accounting staff, your bank. Some banks have actual cyber security fraud management. You also need to know the reporting laws, there are laws in place that once an individual’s information is impacted, there is certain information that you need to get out to them as soon as possible. As soon as you’ve got your hands around what the situation is. What’s required can change if it is HIPAA information, or if it is a social security number. There is a certain protocol of information that you need to send to an employee that has their social security number impacted but if it is HIPAA information, you need to go to another level and go through certain reporting laws. It is important to know what the laws are and you need to be able to make a quick reaction so that you don’t get in trouble for not addressing the issue quickly.
Q. Brian: And just to be clear, HIPAA is with health information?
A. Beth: That’s correct.
Q. Mari: We are speaking with Beth Waller with Woods Rogers, and her focus is on cyber security and IT issues. It sounds like you [companies] are reacting instead of preventing this. It sounds like it is primarily damage control, instead of actually trying to catch the people responsible. Is that fruitless?
A. Beth: Most of it is damage control. You also need to reach out to your local law enforcement officers, or also the field office of the local FBI agency. You need to make sure you are reporting this information. Unfortunately, most of the time you see that there just aren’t a lot of resources to investigate these issues, especially these small scale issues, but they want to know about it to try and go after these people. But realistically, a few minutes after a breach you are trying to deal with damage control, get a sense of what information is impacted, know what you need to tell people and then what can you do to make sure that this doesn’t happen again.
Q. Brian: It is awfully hard to think that we are going to hold people accountable for this especially when it seems like the vast majority of them aren’t in this country and if they are able to get you to pay in bitcoin of any other encrypted currency like that. I hate to say it but, this seems like a lucrative crime to be involved in.
A. Beth: It is a very hard thing to track. There are all types of protocols they take to really mask who their true identity is. It could be an employee sitting in your office, that is very scary to think about, or it could be someone sitting in Iceland, you just don’t know and it is very hard to try and track that information.
Q. Mari: What companies need to take away from this is that they need to have a plan in place. Is that right?
A. Beth: That is correct!
Q. Brian: And do you all recommend using a service like ThreatConnect, or anything like that?
A. Beth: We recommend that you look at all of the available options, because there are a lot of different software protocols and different software systems that you can use to protect yourself. It is good to go ahead and investigate that information. Make sure you have the best system in place from a company standpoint to guard against these issues. Make sure your firewalls are in place so if you do fall victim you’ve at least done you best to make sure that you’ve protected yourself.
Brian: If you want to talk cybersecurity issues with Beth Waller at Woods Rogers, just go to woodsrogers.com you’ll find all of the information you need there. Beth, thank you for joining us this morning.