Skip Navigation
BlackBerry Blog

Go Phish: What the Latest IRS Phishing Scam Teaches Us About the Need for Document DRM

phishingAs if the tax season wasn’t bad enough already. Earlier this month, it was revealed by the IRS that hundreds of businesses have been targeted by a massive phishing scam, the aim of which was to gain access to highly sensitive tax documents. And in the case of several major corporations, including Mansueto Ventures (publisher of Inc. Magazine and Fast Company), GCI and Snapchat, it succeeded.

“A new group of phishers is trying a new tactic: sending out emails that appear to be in-house – often from the CEO or CFO – asking HR personnel for the W-2 information of employees companywide,” writes Security Intelligence’s Douglas Bonderud. “Since the email looks official and the request seems reasonable, it’s no surprise that several businesses have already been victimized.”

The number of employees targeted at GCI, Snapchat and Mansueto alone is in the thousands, and the scammers are successfully stealing from more businesses each day Worse, W-2 documents contain everything a hacker would need to steal an identity or commit tax fraud, including name, address, social security number and wage information. What’s most troubling here is neither scope nor severity, however – it’s how easily these thefts could be prevented.

No Control, No Security

Businesses should never share sensitive documents without first protecting them. The compromised W-2 information likely would not have been compromised if the companies involved had taken measures to protect and retain control over their shared files. Consider what may have happened if the targeted organizations had secured all employee tax documents with digital rights management (DRM) technology.

ohnoAfter a long day of work, a CFO receives an email with an unusual request: for some reason, the CEO wants access to employee W-2s. The CFO, focused on ending the workday, acquiesces without a second thought, pulling the requested files out of SharePoint en-masse. It’s only after hitting ‘send’ that the CFO realizes they’ve been duped. Without additional protections, they’d have just given the tax records of every single employee in the company to a career criminal. With DRM, however, there are a few ways things might play out:

  • If the files are sent without copy/paste permissions or as “view only,” the criminals have to extract the information manually – an extremely time-consuming process. The W-2 information is still compromised, but the company has more time to notice and respond to the security breach. Further, the scammers might abandon the protected documents in favor of easier, less-secure targets.
  • If access to the files is restricted to approved parties, those files can’t be shared or sold by criminal organizations. Even if a criminal downloads a file, the data inside remains protected in an unhackable, encrypted container.
  • If the scammers somehow gain access to the DRM-protected documents, that access can be revoked immediately upon discovery of the data breach, rendering the documents useless to the criminals.

In order for any of the above scenarios to be realistic, your organization needs a document control solution that integrates seamlessly with its existing repositories. Said solution must also allow you to retain control over your files even when they’re outside your company’s firewall. Most importantly, it needs to be easy to use, enabling collaboration and file sharing without interrupting workflow.

That’s where BlackBerry Workspaces (formerly known as WatchDox by BlackBerry) comes in.

How BlackBerry Workspaces Keeps You in Control of Your Documents

access-deniedA two-time visionary in Gartner’s EFSS Magic Quadrant, BlackBerry Workspaces addresses the characteristics of electronic data that makes it so easy to steal, fundamentally breaking the basic model of data theft that powers the criminal enterprise. Used to protect the personnel records of organizations such as the U.S. Postal Service and the U.S. Department of Veterans Affairs, it allows you to retain full ownership over sensitive documents no matter who those documents are shared with. It’s able to accomplish this thanks to some of the most robust security and DRM controls on the market:

  • Files are protected by end-to-end encryption whether at rest, in-transit, on-server or on-device.
  • BlackBerry Workspaces’ Content Connectors integrate readily with the majority of leading file repositories, enabling you to protect critical assets without having to invest in additional infrastructure.
  • DRM controls allow administrators to easily restrict or allow downloading, copying, editing or printing. The protection is applied at a file level, so in the event that an unauthorized individual gains access to a file, that access can be revoked with a single click, even after files have been saved locally.
  • When a file is taken out of a repository protected by BlackBerry Workspaces, DRM can be applied automatically without requiring additional action by the employee.
  • BlackBerry Workspaces’ granular logging and reporting tracks every detail of how, where and by whom each file or repository has been accessed. It can also integrate with existing document loss prevention (DLP) solutions. If a suspicious party accesses any sensitive documents, your administrators can take action immediately to protect the information those documents contain.

Don’t Fall Victim

That so many major organizations fell prey to such a simple phishing scam is an embarrassment. But what’s more embarrassing is the fact that none of them had any sort of security solution in place to protect employee information. Had they been using a tool like BlackBerry Workspaces, this story would have played out far differently.

As it is, they’re left with egg on their face and a pile of stolen tax records on the web.

To learn more about how BlackBerry Workspaces helps you protect your sensitive files, check out our latest release blog, visit the official BlackBerry Workspaces page or view our BlackBerry Workspaces Email Protector page.

About Dan Auker