It is that time of year and once again….the fraudsters are gearing up their campaigns to try to gain access to sensitive business and personal tax information.
W-2 Phishing Scams:
Since 2016, cybersecurity organizations have observed tax form related phishing scams around this time of year, including several new variations that combine W-2 scams with business email compromise (BEC), business email spoofing (BES) and wire transfer fraud. IRS’s Online Fraud Detection & Prevention (OFDP) office— which manages [email protected]–– observed a significant increase in reports of W-2 related scams from more than 100 in 2016 to approximately 900 reports in 2017. The volume of reports jumped dramatically in February 2017, accounting for 60% of BEC/BES W-2 reports received in 2017. Emails to [email protected] included both victims and non-victims, many of whom noted repeated contact, with multiple W-2 requests or follow-up emails. Such instances could indicate a multi-step campaign with actors following up with a fraudulent wire transfer request before, during or after the request for W-2s.
Trends:
Cybercriminals use various spoofing techniques in attempts to contact an employee in the payroll or human resources departments, requesting a list of all employees and copies of their Form W-2. Such techniques include disguising an email to make it appear as if it is from an organization executive or even compromising the email account itself to gain legitimacy. They achieve this by spoofing the “From” field and adding a “Reply-To” address or using a free email service account for the email address and spoofing the sender name.
The most popular methods remain sending an email either spoofing the target organization or using a free email account and typosquatted (i.e., minwestbank.com, minnw3stbank.com) domains to impersonate a C-level executive to an HR professional within the organization.
In the latest twist, the cybercriminal follows up with an “executive” email to the payroll or comptroller and asks that a wire transfer also be made to a certain account. In one case, an administrator account was phished and the email was used to contact the company’s president requesting W-2s. Although not independently tax related, the wire transfer scam is being coupled with the W-2 scam email. Some companies have lost both employees’ W-2s and thousands of dollars due to wire transfers. In some cases, firms received a BEC wire transfer request simultaneously or immediately after falling victim to the BEC W-2 request.
The W-2 scam is just one of several new variations to appear in the past year that focus on the large- scale thefts of sensitive tax information from tax preparers, businesses and payroll companies. Individual taxpayers also can be targets of phishing scams, but cybercriminals seem to have evolved their tactics to focus on mass data thefts.
Best Practices:
The key to reducing the risk from W-2 phishing scams and BEC is to understand the criminals’ techniques and deploy effective mitigation processes in your business. Some of these methods to reduce your risk to your business include:
- Limit the number of employees within your business who have the authority to approve and/or conduct wire transfers and handle W-2 related requests or tasks
- Use out of band authentication to verify requests for W-2 related information or wire transfer requests that are seemingly coming from executives. This may include calling the executive to obtain verbal verification, establishing a phone Personal Identification Number (PIN) to verify the executive’s identity, or sending the executive via text message a one-time code and a phone number to call in order to confirm the wire transfer request;
- Verify a change in payment instructions to a vendor or supplier by calling to verbally confirm the request (the phone number should not come from the electronic communication, but should instead be taken from a known contact list for that vendor)
- Maintain a file, preferably in non-electronic form, of vendor contact information for those who are authorized to approve changes in payment instructions
- Delay processing transactions until additional verifications can be performed when contacted by the bank to verify the wire transfer; and
- Require dual-approval for any wire transfer request involving one or more of the following:
- A dollar amount over a specific threshold;
- New trading partners
- New bank and/or account numbers for current trading partners; and/or
- Wire transfers to countries outside of the normal trading patterns.
Sources:
(IR-2016-34) https://www.irs.gov/newsroom/irs-alerts-payroll-and-hr-professionals-to-phishing-scheme-involving-w2s
(IR-2017-20) - https://www.irs.gov/newsroom/dangerous-w-2-phishing-scam-evolving-targeting-schools-restaurants-hospitals-tribal-groups-and-others