FBI Portland
Portland Media Office
(503) 460-8060
June 7, 2017

FBI Tech Tuesday - Building a Digital Defense Against PII Theft (Part 1)

In recent years, the FBI has seen an increase in the number of companies and institutions reporting the theft of Personally Identifiable Information or PII. This theft takes many forms—from e-mail phishing attacks, to Point-of-Sale theft, to the more advanced hacking of vulnerabilities in servers where the information is hosted. The theft of the information can happen at any time, but the effects can be felt for months or years beyond then.

This year saw a proliferation of a two distinct phishing campaigns to steal PII for Tax Fraud. The first is a variation of the business e-mail compromise scam in which a company’s executive has his or her e-mail hacked or spoofed. In a traditional business e-mail compromise scheme, the fraudster tries to convince the victim company’s finance department to make a payment to a regular vendor or send an invoice to that vendor requesting payment back. The fraudster would re-route the payment midstream and cash out.

In this case, the fraudster uses that executive’s account to send e-mails to the company’s human resources, finance, or audit department. The e-mail seemingly sent by the executive asks for employees' PII or W-2 information, allegedly for tax or audit purposes. In some cases, the fraudsters have managed to secure sensitive financial and personal information on thousands of workers.

In the second kind of PII theft scheme that we are seeing, the employee himself is a target. We will explain more about that version of the scam in next week’s Tech Talk.

In the meantime, here are some helpful hints on what businesses can do to protect themselves:

* Set up two-factor verification systems to confirm the request and receipt of such sensitive information. This could be as simple as a phone call or a face-to-face meeting.

* Establish protocols for sensitive information requests ahead of time and outside of the e-mail environment. You don't want a hacker who already has access to your system to know what your back-up security measures include.

* Ensure that sensitive PII and W-2 information is secured with encryption.

* Establish and maintain robust and strong security for your data, including firewalls, virus protection, and spam filters.

For more information on e-mail security concerns or other cyber crimes, check out the FBI’s website at www.fbi.gov or the FBI’s Internet Crime Complaint Center at www.ic3.gov. For Tax Fraud Reporting and Information go to www.irs.gov.