It is that time of year and once again….the fraudsters are gearing up their campaigns to try to gain access to sensitive business and personal tax information.
W-2 Phishing Scams:
Since 2016, cybersecurity organizations have observed tax form related phishing scams around this time of year, including several new variations that combine W-2 scams with business email compromise (BEC), business email spoofing (BES) and wire transfer fraud. IRS’s Online Fraud Detection & Prevention (OFDP) office— which manages [email protected]–– observed a significant increase in reports of W-2 related scams from more than 100 in 2016 to approximately 900 reports in 2017. The volume of reports jumped dramatically in February 2017, accounting for 60% of BEC/BES W-2 reports received in 2017. Emails to [email protected] included both victims and non-victims, many of whom noted repeated contact, with multiple W-2 requests or follow-up emails. Such instances could indicate a multi-step campaign with actors following up with a fraudulent wire transfer request before, during or after the request for W-2s.
Trends:
Cybercriminals use various spoofing techniques in attempts to contact an employee in the payroll or human resources departments, requesting a list of all employees and copies of their Form W-2. Such techniques include disguising an email to make it appear as if it is from an organization executive or even compromising the email account itself to gain legitimacy. They achieve this by spoofing the “From” field and adding a “Reply-To” address or using a free email service account for the email address and spoofing the sender name.
The most popular methods remain sending an email either spoofing the target organization or using a free email account and typosquatted (i.e., minwestbank.com, minnw3stbank.com) domains to impersonate a C-level executive to an HR professional within the organization.
In the latest twist, the cybercriminal follows up with an “executive” email to the payroll or comptroller and asks that a wire transfer also be made to a certain account. In one case, an administrator account was phished and the email was used to contact the company’s president requesting W-2s. Although not independently tax related, the wire transfer scam is being coupled with the W-2 scam email. Some companies have lost both employees’ W-2s and thousands of dollars due to wire transfers. In some cases, firms received a BEC wire transfer request simultaneously or immediately after falling victim to the BEC W-2 request.
The W-2 scam is just one of several new variations to appear in the past year that focus on the large- scale thefts of sensitive tax information from tax preparers, businesses and payroll companies. Individual taxpayers also can be targets of phishing scams, but cybercriminals seem to have evolved their tactics to focus on mass data thefts.
Best Practices:
The key to reducing the risk from W-2 phishing scams and BEC is to understand the criminals’ techniques and deploy effective mitigation processes in your business. Some of these methods to reduce your risk to your business include:
Sources:
(IR-2016-34) https://www.irs.gov/newsroom/irs-alerts-payroll-and-hr-professionals-to-phishing-scheme-involving-w2s
(IR-2017-20) - https://www.irs.gov/newsroom/dangerous-w-2-phishing-scam-evolving-targeting-schools-restaurants-hospitals-tribal-groups-and-others