Tax Season Triggers Wave of W-2 Business Email Compromise Attacks

Campbell County Health is the latest victim of a W-2 business email compromise attack, which has resulted in the tax information of 1,457 hospital employees being disclosed to a scammer.

The Gillette, WY-based healthcare system discovered Wednesday that an employee had responded to an email request for the W-2 form data of hospital employees. As is common in these scams, the attacker impersonated a hospital executive and requested W-2 information for all employees who had taxable earnings in 2016.

A 66-year old hospital worker responded to the email and sent the information as requested. However, rather than being sent to the hospital executive, the data was sent to the scammer.

Andy Fitzgerald, CEO of Campbell County Health issued a statement confirming “no protected health information for our employees or our patients were released in this incident.” The breach was limited to W-2 data. All affected employees have now been contacted and have been offered identity theft protection services through a leading credit monitoring and identity theft protection company.

Law enforcement has been notified of the attack and hospital officials and a cyber security response team are investigating are trying to identify the attacker. Fitzgerald said the incident is being treated very seriously and “we will continue to review and enhance our security practices to further secure our systems.”

While Campbell County Health is one of the first healthcare organizations to report a W-2 attack this year, it is far from alone. Over the course of the past few weeks there have been numerous business email compromise attacks reported.

This week, eight school districts in Missouri were targeted by scammers. The Missouri Department of Elementary and Secondary Education confirmed that an employee of one of those districts – The Odessa School District –fell for the scam and emailed employee W-2 form data to the attacker. Also this week, the Tipton County Schools District in western Tennessee experienced a similar attack that resulted in the tax information of its employees being emailed to a scammer.

Tax season always sees a massive rise in business email compromise attacks and other tax-related scams. Last year, more than 41 U.S companies reported that employee’s personal information had been compromised as a result of these scams in the first quarter of 2016. The massive increase in attacks in 2016 prompted the IRS to issue a warning to organizations of the high risk of an attack. In the first quarter of 2016, tax-related malware and phishing incidents increased by 400%. The FBI reports an 1,300% increase in BEC attacks since January 2015.

The scams typically involve the impersonation of the CEO or CFO of a company, or another individual with authority. An email is sent to a member of the accounts, billing, or HR departments requesting details W-2 information of employees. The attacks are often successful because employees are unwilling to question requests from the CFO, CEO or other C-suite members.

These attacks tend to be highly targeted. Employees are often researched via professional networking and social media websites and are sent carefully crafted emails from spoofed email accounts. In some cases, corporate email accounts are compromised and the email requests are sent from genuine company accounts.

To counter the threat, all individuals in a company with access to employee data should be notified of the threat and warning of the increased risk of attack during tax season. A system should also be set up to ensure that any request for employee information is authenticated by some other means than email.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.