Sign Up Created with Sketch. Want to receive our thought leadership?     Sign Up

In recent weeks, hundreds of businesses around the country have been hit by an email “phishing” scam that is both brilliant in its exploitation of workplace power dynamics and potentially devastating in its effects. This particular scam, which includes widely reported cases involving the Milwaukee Bucks and Snapchat, generally works as follows:

While all “social engineering” scams seek to find and exploit human weaknesses in order to gain access to sensitive information, this scam is brilliantly cynical: it exploits the imbalance of power between senior management and subordinate personnel by inducing a sense of urgency and desire-to-please with the goal of overwhelming the subordinate’s ability to think critically about the information request. Like any good card trick, the spoofed email creates a psychological distraction that blinds the recipient to the sleight-of-hand that’s taking place right before his or her eyes.

The consequences of a successful W-2 phishing scam can be extremely serious for the targeted company. Data breach notification laws will almost certainly require delivery of notices to affected employees, government agencies, credit reporting agencies and/or the media. The company will also need to report the incident to local and federal law enforcement agencies, as well as the IRS. Additionally, management will need to be prepared to receive questions from the affected employees about how they should protect themselves and their credit in the wake of the incident. In short, it will be a costly, time-consuming, distracting and morale-draining experience to deal with the aftermath of a W-2 phishing scam.

Given the stakes, companies should focus on strengthening their defenses against potential social engineering attacks. Implementing regular and mandatory data security training for all employees is a critically important defensive measure. Training will not only provide employees with assistance in identifying phishing scams, but will also raise overall awareness and create a company-wide sense of vigilance and preparedness. An appropriately selected and enforced training program can act as a bulwark against potential liability in any post-breach litigation.

Poyner Spruill’s Privacy and Data Security Law practice group advises companies who have experienced data security breaches and can also work with clients in the selection of data security training programs and the preparation of incident response plans. If you have any questions or need assistance with data security matters, please contact Mike Slipsky at or Saad Gul at

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.

◀︎ Back to Thought Leadership