It happens daily. An employee receives an urgent email from a superior or executive requesting information, files or documents. Most of the time, it’s legitimate business.
But a new strand of W-2 phishing emails — sometimes known as business email compromise (BEC) — is using this standard routine to steal corporate payroll data, taxpayer information and valuable identities.
Per the latest warning from the IRS, a new salvo of phishing scams is portraying emails from executives that requests employee lists and sensitive W-2 forms. The phishers strategically target employees in payroll or human resources, making the request seem that much more legitimate.
“This is one of the most dangerous email phishing scams we’ve seen in a long time,” said IRS Commissioner John Koskinen in a news release on IRS.gov. “It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme.”
According to CSO Online, more than 30,000 taxpayers have already been affected by the W-2 scam in 2017. In 2016, some 145 organizations fell victim to these types of tax scams, which exposed thousands of records.
Broader Scope, More Phishing Targets
The W-2 phishing scam first appeared last year but has started circulating earlier in the tax season, the IRS warned. The attack has also broadened its scope, now targeting schools, healthcare, restaurants and staffing agencies — organizations that often have less training and awareness on cyber security best practices.
In some cases, the initial W-2 phishing attempt is followed by another email to a payroll employee or comptroller requesting a wire transfer be made to a specific account.
Unfortunately, some organizations have fallen victim to both the W-2 phishing scam and the wire fraud scheme — both of which leverage legitimate-looking emails from executives.
Brian Krebs, CSO Online and Forbes have all reported on the new wave of W-2 phishing scams. Krebs, a noted cyber security researcher and investigative journalist, explains that these new scams are very much like standard “CEO Fraud” that relies on blind trust from employees to provide bosses or superiors anything they request. These are very common scams that occur at any time during the year.
Enterprise Cyber Security Has Cracks, Faults
While protecting taxpayer identities and information is critical during this time of year, the W-2 scams highlight alarming realities about corporate cyber security. The scams persist because they work. And they work because many organizations and enterprises have lax security controls.
If well-intentioned employees are falling victim to BEC scams, they’re likely clicking on any number of phishing links. These malicious URLs provide threat actors simple means for deploying malware payloads, which are used to steal intellectual property, credentials, sensitive data, employee records, customer information and more.
Defending Against W-2 Phishing Scams
Many people have been fooled by a phishing scam at one point in time or another. In a recent security report, Verizon estimates that 30 percent of phishing emails are opened and 12 percent of phishing targets click on the link or attachment.
But during tax season, it’s even more important to remain vigilant, particularly when using corporate email, devices and computers.
Implement these best practices for protecting your organizations and employees against W-2 and other phishing scams.
- Communicate quickly. Alert all employees about the W-2 scam and provide directions on who they can notify if they think they’re being phished
- Empower staff. Train employees on how to spot phishing emails; red flags include unknown senders, odd email headers, misspellings or poor grammar, abnormal requests, etc.
- Be suspicious. Never click on links, respond to, or provide information to unknown parties
- Instill a security culture. Build a year-round culture of cyber security diligence, which includes locking work stations, securing laptops, using strong passwords, being wary of phishing emails, ensuring identification badges are visible when on corporate grounds and challenging unknown visitors
- Notify the authorities. Organizations that receive or fall victim to the W-2 scams should file a complaint with the FBI’s Internet Crime Complaint Center (IC3)
The IRS urges affected employers, organizations or companies to forward any W-2 phishing attempts to firstname.lastname@example.org and use “W-2 Scam” as the subject line.