Staff are still falling for phishing scams Attack.Phishing , with social media friend requests and emails pretending to come from Attack.Phishing the HR department among the ones most likely to fool Attack.Phishing workers into handing over usernames and passwords . Phishing scams Attack.Phishing aim to trick Attack.Phishing staff into handing over data -- normally usernames and passwords -- by posing as Attack.Phishing legitimate email . It 's a technique used by the lowliest criminals as part of ransomware campaigns , right up to state-backed hackers because it continues to be such an effective method . In a review of 100 simulated attack campaigns for 48 of its clients , accounting for almost a million individual users , security company MWR Infosecurity found that sending Attack.Phishing a bogus friend request was the best way to get someone to click on a link -- even when the email was being sent Attack.Phishing to a work email address . Almost a quarter of users clicked the link to be taken through to a fake login screen , with more than half going on to provide a username and password , and four out of five then going on to download a file . A spoof email claiming to be Attack.Phishing from the HR department referring to the appraisal system was also very effective : nearly one in five clicked the link , and three-quarters provided more credentials , with a similar percentage going on to download a file . Some might argue that gaining access Attack.Databreach to a staff email account is of limited use , but the security company argues that this is a handy for an assault . A hacker could dump Attack.Databreach entire mailboxes , access Attack.Databreach file shares , run programs on the compromised user 's device , and access multiple systems , warned MWR InfoSecurity . Even basic security controls , such as two-factor authentication or disabling file and SharePoint remote access , could reduce the risk . The company also reported bad news about the passwords that users handed over : while over 60 percent of passwords were found to have a length of 8 to 10 characters -- the mandatory minimum for many organizations -- the company argued that this illustrates how users stick to minimum security requirements . A third of the passwords consisted of an upper-case first letter , a series of lower-case letters , and then numbers with no symbols . It also found that 13.6 percent of passwords ended with four numbers in the range of 1940 to 2040 . Of those , nearly half ended in 2016 , which means one-in-twenty of all passwords end with the year in which they were created .

Last week , the Internal Revenue Service ( IRS ) issued a new warning to employers , urging them to stay alert as reports of compromised W-2 records started to climb . This newest advisory aligns with the agency 's plan to delay refunds for those filing their returns early in order to combat identity theft and fraud . The IRS also informed employers the W-2 scam has moved beyond corporations , expanding to include schools , tribal organizations , and nonprofits . In a statement , IRS Commissioner , John Koskinen , said the scams - sometimes known as Business Email Compromise (BEC) attacks Attack.Phishing - are some of the most dangerous email scams the agency has seen in a long time . [ Learn about top security certifications : Who they 're for , what they cost , and which you need . `` It can result in the large-scale theft of sensitive data Attack.Databreach that criminals can use to commit various crimes , including filing fraudulent tax returns . We need everyone ’ s help to turn the tide against this scheme , '' Koskinen said . In 2016 , at least 145 organizations fell victim to BEC scams Attack.Phishing , exposing tens of thousands of employees to tax fraud and identity theft . Salted Hash kept track of some of the high-profile cases , and Databreaches.net tracked everything , resulting in a massive list of documented successful attacks . As of February 5 , 23 organizations have disclosed BEC-related data breaches Attack.Databreach publicly , each one resulting in compromised W-2 data . The confirmed BEC victims include ten school systems , a software development firm , a utility company in Pennsylvania , at least one restaurant in Indianapolis , and businesses operating within the healthcare , finance , manufacturing , and energy sectors . Distribution International emailed employees that their W-2 data was compromised Attack.Databreach on January 27 . Their notification expands the number of affected taxpayers to more than 30,000 . The scammers spoofed Attack.Phishing an email and pretended to be Attack.Phishing one of the company 's owners . W-2 records for all companies and all employees were compromised Attack.Databreach . Salted Hash reached out to Sky Climber 's CFO , Jeff Caswell , for more information . Also , the College of Southern Idaho has reported an incident that could impact 3,000 employees . According to Public Information Officer Doug Maughan , the W-2 records affected belong to seasonal and auxiliary staff . Palomar College disclosed an attack Attack.Databreach on January 30 , which affected employee W-2 records . The school did n't say the incident Attack.Databreach was the result of a BEC attack Attack.Phishing , but Salted Hash is listing it anyway due to the timing of the attack and the information targeted . Finally today , the West Michigan Whitecaps - a Class A minor league baseball team affiliated with the Detroit Tigers - said staff W-2 records were compromised after someone posing as Attack.Phishing a manager requested them . In 2016 , the criminals behind the BEC attacks Attack.Phishing mostly focused on payroll and tax records . This year though , the IRS says that in addition to the usual records request , the scammers are now following-up and requesting wire transfers . `` Although not tax related , the wire transfer scam is being coupled with the W-2 scam email , and some companies have lost both employees ’ W-2s and thousands of dollars due to wire transfers , '' the IRS explained in their warning . `` Employers should consider creating an internal policy , if one is lacking , on the distribution of employee W-2 information and conducting wire transfers . '' BEC attacks Attack.Phishing are essentially Phishing scams Attack.Phishing , or Spear Phishing Attack.Phishing since the criminals have a specific target . They 're effective too , exploiting the trust relationships that exist within the corporate environment . In a majority of the reported cases from 2016 , the attackers forged Attack.Phishing an email and pretended to be Attack.Phishing the victim organization 's top executive , or someone with direct authority . Often it is the CEO or CFO , but any high-level manager will work .

The bug could 've likely been exploited Vulnerability-related.DiscoverVulnerability to make a self-spreading worm too , according to hackers and security researchers . Steam 's operator Valve announced that it fixed Vulnerability-related.PatchVulnerability the bug earlier today , but with over 125 million monthly active users on its platform , the exploit could have wreaked havoc for thousands of people , and for the company itself . `` Anyone who views a specially crafted profile gets popped , '' a white hat hacker who has found Vulnerability-related.DiscoverVulnerability several bugs in Steam in the past , and asked to remain anonymous , told me in a Twitter DM . Several users and security researchers noticed Vulnerability-related.DiscoverVulnerability this week that it was possible to put malicious javascript code inside a Steam user 's profile page , and the code will execute whenever someone visits that profile page , without any need for the victim to click anywhere . This type of bug is known as a cross-site scripting vulnerability , or XSS , a problem that 's plagued Steam for years. `` Phishing scams Attack.Phishing and virus downloads are possible at the very least , but if account take overs are possible , that 's about as bad as XSS gets , '' Jeremiah Grossman , a web security expert , said in a chat . A Valve spokesperson said the bug was fixed Vulnerability-related.PatchVulnerability on Tuesday at noon , but there 's no telling how long the door was open for hackers to exploit it . ( The spokesperson did not immediately respond to a request for comment . ) The bug was so bad that the moderators of the Steam subreddit told users to refrain from visiting other user 's profiles . `` Do NOT click suspicious ( real ) steam profile links and Disable JavaScript on Browser , '' a moderator wrote in the warning post . Grossman and Jake Davis , a former LulzSec hacker , confirmed that Vulnerability-related.DiscoverVulnerability the bug existed as Vulnerability-related.DiscoverVulnerability of Tuesday morning and analyzed the potential attacks that bad guys could do if they were to exploit it . `` If something like this were to be found Vulnerability-related.DiscoverVulnerability on Google or Facebook , it would be a high-severity issue , '' said Grossman , who 's the Chief of Security Strategy at security firm ‎SentinelOne .