Earlier this morning the Milwaukee Bucks announced that their organization had become the recent victim of a W-2 spear phishing attack. Crooks managed to extort the Buck’s 2015 tax records for every employee, including players. Similar to a number of incidents we’ve detailed in the past, attackers impersonated the organization’s CEO (or in this case president) and asked a subordinate for last year’s employee tax information.
These spear phishing attacks have been shown to be incredibly effective, compromising companies big and small without discrimination for the type of business targeted. Scammers have managed to spear phish a broad set of organizations ranging from a concrete supply company to a major computer hardware manufacturer to now a basketball team.
For more on these types of W-2 spear phishing attacks and other forms of business email compromise, please see our 2016 Q1 Security Threat Report. Also, for an ironic chuckle about attackers swiping W-2 records in inventive ways: check out KrebonSecurity’s recent article about how Equifax, one of the big-three U.S. credit bureaus, was used to steal all of Krogers’ and several other companies’ tax records.