Scammers are targeting businesses nationwide, including many in Montana, with a sophisticated “spear phishing” email scam that has compromised the personal information of thousands of Montanans.

“Spear phishing” is a more focused form of “phishing,” or posing as a legitimate source to gain access to sensitive personal identification and financial information. Spear phishing emails are sent to specifically targeted recipients and are designed to look like they were sent from someone the recipient knows and interacts with – possibly a business owner, a supervisor, a colleague, or a department manager.  The email’s subject line and content are likely to be specific to the target recipient’s business responsibilities or interests.

“This ‘spear phishing’ scam is especially despicable because it takes advantage of the trust that colleagues build between each other,” said Attorney General Tim Fox.  “These scammers often research their intended target by exploring the target recipient’s LinkedIn and other social media accounts to build a convincing email, so it can be easy to fall victim to those emails.  Educating Montana businesses about the existence of these scams is the best defense we have.”

The Montana Office of Consumer Protection has received dozens of notices about the following specific spear phishing scam:

A person impersonating a company executive sends a scam email to a staff member.  The email requests a list of employees’ W-2 information, such as employees’ names, addresses, social security numbers, and wage information.  In reality, when the staff member responds to the scam email with the W-2 information, the scammer steals the personal information and uses it to commit identity theft.  The scammer may even file fake tax returns to steal an individual’s tax refund money.

If you, or someone you know, receives an unusual email requesting such information, do not respond immediately.  Instead, contact the company executive by phone or in person to ensure that the request for W-2 information is legitimate.

If you discover that personal information has been sent to a scammer, alert company executives to the scam immediately.