2016 was banner year for 'spear phishing' data theft

030216_main_line_health_1200
Among "spear phishing" victims were nearly 11,000 Main Line Health employees and an undisclosed number of client employees whose pay was processed by Alpha Payroll Services LLC of Trevose.

The coming tax season will be prime time for cyber-criminals out to steal information needed to file fraudulent tax returns to collect refunds owed to unsuspecting taxpayers.

Data thieves have been so successful in the last couple of years that the black market value of stolen electronic health records fell to $20 to $50 in October from $75 to $100 a year earlier, HealthcareITNews reported.

That glut of stolen health records followed a surge in successful "spear-phishing" attacks for W-2s in the early months of 2016.

These schemes trick an employee into sending W-2s or other information to an outside party in response to an email typically believed to be from a top company executive.

"The attempts will increase," said Michael A. Gillen, director of the tax accounting group at Duane Morris LLP in Center City, so having a "heightened sense of awareness is critical."

Thieves successfully hit at least seven Philadelphia-area companies in the first half of this year with such phishing attacks, according to the Identity Theft Resource Center, a San Diego nonprofit founded to support victims of identity theft and educate the public. At least three others were subject to hacks that exposed employee or client information.

Among the victims were nearly 11,000 Main Line Health employees and an undisclosed number of client employees whose pay was processed by Alpha Payroll Services LLC of Trevose.

"Spear-phishing attacks in the first half of the year were increasing at the most phenomenal rate since ITRC started tracking data breach incidents" in 2005, said Karen A. Barney, director of research and publications at the center.

Overall, however, the number of records with personal information exposed in 2016 was down sharply, to 35 million from 177 million in 2015, when several health insurers had major breaches, according a Dec. 13 report by Barney. She tallied 980 breaches this year, up from 780 in 2015.

Barney said that in 2015, 165 million records containing Social Security numbers, the most valuable piece of information for thieves because it allows them to open accounts, were exposed. The total is "considerably less" this year, she said.

Fortunately, the IRS has gotten better at blocking fraudulent filings to protect consumers, Gillen said.

"In the past, the IRS would never alert you to potential fraud on your account," Gillen said. If a taxpayer was the victim of a fraudulent tax filing, the IRS would simply reject the real return when it was filed. "That was how people were alerted to the fraud," he said.

Now the IRS is applying statistical analysis to returns, looking for information that is inconsistent with prior returns and notifying taxpayers, Gillen said.

Main Line said "a small percentage of our employees had tax returns fraudulently filed last year, but law enforcement was able to stop this quickly when we reported the incident."

Main Line disclosed its breach widely to the public. Many companies only make the required disclosures to state agencies.

Other local companies subject to successful phishing for W-2s, according to Barney's report, were: Symphony Health Solutions of Conshohocken, Pennsylvania Lumbermens Mutual Insurance Co. of Philadelphia, Gamesa Wind U.S. LLC, Crane Payment Innovations Inc. of Malvern, and Arc International in Millville, N.J.

Besides Main Line, only Symphony said how many employees were affected — 365.

Some companies said they found out about the breach, often on the day it happened, when the employee who responded to the spear-phishing email became suspicious after the fact.

Alpha Payroll found out about its March breach in April, after a client notified Alpha that fraudulent tax returns had been filed under its employees' Social Security numbers. "Alpha Payroll leadership promptly terminated the employee" who responded to the phishing email, a letter to New Hampshire's attorney general said.

The letter also said "no definitive proof exists at this time connecting the fraudulent returns to the phishing email response of the Alpha Payroll employee."

Despite this year's decline in exposed records, Gillen said there is no reason to relax.

"I think that these thieves come up with new, more advanced approaches every single day. I think that is going to continue for quite some time," he said.