If you work in a large corporation, you’ve probably undergone mandatory information security training every year since you started. Companies are becoming more and more aware of the myriad cybersecurity threats that could put their sensitive information—and the future of their business—at risk.

Management has probably trained you not to open emails from suspicious-looking senders, to avoid clicking links or downloading content from anyone you don’t trust and to never give your password to anyone.

While the above precautions are necessary, they may not be sufficient. Hackers are becoming increasingly sophisticated. In a new email scam, hackers are taking advantage of a known weakness in the corporate world: hierarchy.

The scam

Let’s say you’re a young employee in the payroll department of a large company. One day, you receive an email from a high-level executive in the firm, asking for W-2 information for a list of employees. Your initial reaction would probably be to fulfill the request—after all, it’s your boss’s boss who’s asking for it. It’s unlikely that the email would give you pause.

This is the method of thinking that scammers prey upon. Here’s how it works: The scammer will hack into your company’s email system and send W-2 requests from an executive’s account to employees in payroll and human resources. If any of the well-meaning employees comply, they’ve just emailed their colleagues’ Social Security Numbers to an identity thief—which they can use to file fraudulent tax returns.

What to do

It’s critical to train all employees to never send any sensitive information via email—as this method of communication is not secure. If an employee ever receives a request for private information from a trusted-looking sender within the company, they should talk to the sender directly to verify the legitimacy of the request. Then they should provide the information through a secure means.

As information thieves become more advanced, it’s important for companies to update cybersecurity policies to help prevent unnecessary breaches.