IRS Issues Warning About W-2 Phishing Scams

W-2 phishing scams increased considerably in 2015 prompting the IRS to issue a warning about the risk of attack. Now, just over 4 weeks into 2017, the IRS has issued a further warning in response to the sheer number of W-2 phishing scams that have been reported so far this year.

This type of scam – often referred to as business email compromise (BEC) or business email spoofing (BES) – is simple, but highly effective. The attacker sends an email request to a payroll or HR staff member and requests W-2 Form data for the entire workforce by return. Typically, the request is for the W-2 Forms of all individuals who worked in the previous tax year. The information is often asked for in PDF format.

The request appears to come from the company’s CEO, CFO, or another high-ranking executive with authority. Payroll and HR employee respond to the email and send data as requested as the email seems genuine. The individual who appears to have sent the request is likely to have a need for the information.

Research is conducted on the company by the attackers. They find out the email addresses of staff members to target and select an executive that is likely to have a need for W-2 Form data. The email address of the chosen executive is then spoofed using a variety of techniques to make the request appear to have been sent from within the company.

The consequences of responding to such a scam can be serious, certainly for an organization’s employees. The data on W-2 Forms can be used for a wide range of nefarious purposes, although the main purpose of the attack is to obtain the data necessary to file fraudulent tax returns.

Last year, there were at least 145 reports of successful W-2 phishing scams sent to the IRS and more than 29,000 employees were impacted by those scams. Given the number of successful scams already reported this year, 2017 looks set to be far worse than last year.

There have been at least 23 such scams pulled off in January, and over the past week, the number of reports received by the IRS has increased substantially.

It is not only the corporate world that is being targeted. Healthcare institutions, school districts, nonprofits, tribal organizations, restaurant chains, staffing agencies, shipping, and freight companies are all being targeted. In fact, any business or organization is a potential target.

This year, a new trend has emerged. In addition to the W-2 phishing scams, victims are also subjected to a second attack. The same spoofed email account is used to send a request to payroll or the comptroller requesting a bank transfer be made.

These scams were commonplace in 2016. In some cases, transfers of millions of dollars were sent to fraudsters’ accounts. The FBI reported that cybercriminals attempted to steal $3.1 billion by the middle last year. The transfer amounts ranged from around $10,000 to tens of millions of dollars.

The year may still be young, but several organizations have been stung twice and have sent W-2 Form data and made fraudulent bank transfers.

To avoid becoming a victim of these scams, employees must be made aware of the risk and instructed to exercise caution. Any request to send W-2 Form data should be treated as suspicious, even if that request appears to have been made by the CFO.

Policies should be introduced that require payroll/HR staff to properly authenticate any request for W-2 forms that are sent via email. Internal policies should also be developed covering wire transfers – and especially international wire transfers – to ensure such requests are authenticated before transfers are processed.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.