W-2 Phishing Tax Scam: Learnings from A 2018 Victim Case Study

W-2 Phishing Tax Scam: Learnings from A 2018 Victim Case Study

Scammers are some of the most innovative folk, constantly coming up with new and refined techniques for obtaining personally identifiable information and profiting from it. Cyber criminals try to take advantage of every occasion, including tax season, when attempting to steal massive amounts of personal data.    

The facts are that fraudsters use phishing and business email compromise (BEC) tactics to extract sensitive employee information or wire transfers from organizations by requesting W-2 forms from HR and payroll personnel. To do so, adversaries use emails crafted to impersonate CEOs or other high-ranking staff, manipulating targeted employees into sharing sensitive information.

Unfortunately, these schemes are evolving and phishing criminals are expanding their scope to include various kinds of organizations. By analyzing the 2018 threat and looking at a case study from this year’s phishing victims, we can learn how to prevent further attacks as well as how to monitor for negative ripple effects of phishing  tax scam targeting organizations.

Why Go After W-2s?

W-2 forms contain information on employee wages and tax deductions withheld by an employer. Additionally, W-2 forms contains personal data like the employee’s name, address, zip code, and social security number (SSN).  Tax scammers may take advantage of this information for identity theft and filing fraudulent tax returns in the name of the victim. Stolen personal data may be used for other types of fraud and is often available for sale on dark web marketplaces, an integral part of cybercriminal ecosystem. In research for this piece, we found sellers of W-2 tax forms from the 2015 and 2016 tax seasons. On some of the more popular marketplaces, we even uncovered some tax return fraud “guides” for 2018.

W-2 Phishing Tax Scam: Learnings from A 2018 Victim Case Study| StopAd Blog
A screenshot from Dark Web marketplace, where scammers are offering “Guides”, containing information on illegally obtaining W-2 tax forms and covering up the traces of fraudulent refunds made in the victim’s name.
W-2 Phishing Tax Scam: Learnings from A 2018 Victim Case Study
W-2 forms and other tax-related data from 2015-2016 sold by scammer on Dark Web. Pricing starts from $50 per file.

How Serious Is the Threat from W-2 Tax Scam?

In a 2018 advisory for employers, the IRS reiterated the need for employers to educate their HR and payroll personnel about W-2 scams. In 2017, the number of reported cases jumped to 900—nine times the previous year’s reports—with over 200 employers falling prey to adversaries, leading to “hundreds of thousands of employees” whose personal information was leaked. Barkly Security Firm reported that more than 120,000 taxpayers had been affected. Databreaches.net maintains a list of disclosed W-2 scams with 175 cases in 2016 and 204 in 2017. For 2018, only 19 cases are listed, but more may be disclosed later in 2018.

How Do Scammers Get W-2 Data? Phishing Basics

Phishing is one of the most popular techniques used by scammers to obtain information or gain a foothold on an organization’s computer network. In the majority of cases, an email is the main attack vector scammers use to extract information or deliver malware.

A popular variation is to send a phishing email with the link to a fake page mimicking the legitimate website, prompting the targeted person to enter login information captured by the adversary. Phishing emails that target a specific person within an organization are also known as spear phishing and are a more “personalized” kind of attack.   

On April 9th, the IRS released another advisory on a tax-related scam delivered via email with “IRS Refund” in the subject line. Scammers impersonating the IRS are tricking users into opening links or attachments, aiming to harvest personal data or drop malicious payloads onto computers to monitor users’ activity and steal important information. The IRS stresses that it doesn’t reach out to taxpayers via email for confirmation of tax refund details. IRS representatives may contact a taxpayer or a business in certain cases via phone, but only after having mailed several notification letters via USPS. In all the other cases, the IRS uses USPS for communication.

Social engineering is a technique that goes hand-in-hand with phishing. In short, social engineering is aimed at manipulating a victim into disclosing sensitive information or performing a certain action like downloading a malicious attachment. Criminals trick users by exploiting the sense of urgency, fear, trust, curiosity, etc. in the email subject line or text.  

In cases of W-2 phishing, an employee receives an email crafted to look like it’s originating from a person of authority to increase the likelihood of the victim trusting the request. An employee’s readiness to fulfill the request of a “superior” in a timely manner and show their good side may distract victims from giving the email a second thought and taking extra steps for confirmation. Here are a few examples of phishing email contents, reported to IRS:

  • “Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary)?”
  • “I want you to send me a list of W-2 copies for employees’ wage and tax statements for 2015. I need them in PDFs. You can send it as an attachment. Kindly prepare the lists and email them to me ASAP.”

According to Symantec’s Internet Security Threat Report 2018, the following words have been most used by criminals in phishing and BEC email subject lines: Urgent—9.1%, Payment—13.8% Request—6.7%.

Phishing Criminals Are Prepared

Before initiating the attack, hackers do research on the organization they’re after. By scraping employee information from available sources like Linkedin, Facebook, and other social networks, they investigate an organization’s structure and identify potential victims and sender personas, not to mention their habits and schedule. Prior to requesting data, an attacker may begin with some “small talk” to check whether the employee is at the office or brag about some local news to lull vigilance.

To conduct a successful phishing operation, scammers’ options vary. There are often many “ifs” that require planning for—the recipient may not click the link or download malicious attachment or a company’s email security or network AV may detect malware and the scheme will fall apart. Instead, adversaries use other approaches, like email spoofing, to deliver requests for W-2 forms to targeted employees. This infographic by GreatHorn Security reflects some of the most popular email spoofing methods.

W-2 Phishing Tax Scam: Learnings from A 2018 Victim Case Study
Phishing emails may be customized to target specific recipient and disguised to look like they’re coming from legit sender, often a high ranked employee in the company. This tactics is known as spear phishing. Email “spoofing” methods and social engineering allow adversaries to extract data from organizations without using malware.

Email spoofing attacks rely on simulating certain message attributes, so that it appears to be sent from a source different from the actual sender. Attackers are able to spoof the name of sender to look like the email is coming from certain person within organization by manipulating email header values such as:

  • From (displays sender name)
  • Return  (an address to reply to)

Additionally, attackers may register a lookalike domain that differs only by one symbol and can be easily confused with targeted company’s domain.

The Evolution of the W-2 Phishing Tax Scam

Since 2016, when this particular type of scam emerged, it has acquired several new characteristics. For example, many fake emails impersonating IRS professionals, tax specialists, and tax software vendors were sent under the pretense of data verification, tax refund issues, and so forth. Gradually scammers shifted their focus to companies, which allowed them to obtain massive amounts of personal data, compared to targeting individuals. Journalist Brian Krebs mentioned that some global tech companies like computer hardware vendor Seagate Technology and social app Snapchat unintentionally gave out employee W-2 information. These instances alone literally affecting several thousands of people and putting their security at risk.

Individuals may still be affected, though.

In 2017, adversaries expanded their schemes to make them more efficient by using phishing web pages and attempting to drop malware on victims computers. Also, tax scam has been propagated to target a wider range of organizations, broadening the attack surface and possible number of data breach victims. In this wave, attackers started to target educational institutions, city and county administrations, as well as healthcare companies among others. Based on the yearly lists of affected organizations from Databreaches.net, we’ve noticed a spike in incidents affecting these three types of organizations in 2017.

Based on Databreaches.net lists Organization type
Education City administration Healthcare
2016 (Total 175 incidents) 16 2 13
2017 (Total 204 incidents) 35 3 8
2018 (final numbers pending) 4 5 2

Attackers also took up a new habit of request unsuspecting employees send wire transfers to criminal accounts using the same BEC and phishing scheme tactics after the W-2 data has been extracted from organization. Consequently, some affected organizations have leaked employee data and funds. Altogether, in February 2017, the FBI Internet Crime Complaint Center estimated that the wire transfer follow-up scam losses skyrocketed by 1300% since 2015, exceeding $3 billion.

2018 W-2 Phishing Tax Scam Case Study

To help understand the steps and impact of these W-2 scams, we reached out to an IT department employee at Enumclaw City Administration in Washington.The city administration suffered data loss due to a phishing incident this tax season. When we spoke, it had been over a month since the incident, and it is quite likely that the initial data breach estimates reported at the early stage when the W-2 fraud was uncovered have changed.

So what happened?

An attack was initiated when a payroll specialist received a spoof email, forged to look like it was sent by a city administrator, requesting the W-2 forms of employees. According to the source, the number of affected employees is within the 200-300 person range. The scammer didn’t follow up with a request for wire transfer. The  Enumclaw city IT department traced the email, finding out that it originated from an email server located in Utah. Once the scam was uncovered, it was disclosed to IRS and police department. According to my contact’s knowledge, affected employees haven’t mentioned any immediate consequences in the aftermath, like scammers trying to contact them on Facebook or via phone. Our inquiry regarding possible security awareness trainings for employees and plans for implementing email security protocols was not answered, since employees are not allowed to share this information.

The W-2 scam of Enumclaw City Administration was also covered by a local TV channel, and revealed more details about the incident. According to records obtained by media, Enumclaw employees were notified regarding the W-2 breach that occured on February 5th only two days after the compromise and outside of office hours. Here’s what the local tax agent, Amy King, with King Tax Service, LLP says:

Companies are supposed to let their employees know if anything has been compromised, like a W-2, as soon as they possibly can . . . They feel a little betrayed because they trusted their information with a company, and it was sent somewhere else and they don’t know who all has it, where it is or what country it’s in.


The city department declined to provide feedback, stating they’re not allowed to discuss the case. However, authorities offered to pay for fraud protection for the affected personnel. Unfortunately, due to the delay in disclosure some employees may have been scammed during the gap.

Why Should Public Organizations Be Concerned?

City administrations and public institutions like schools are more vulnerable to tax scam because their public facing email directories and structure are easily accessible. The following factors are putting organizations at risk:

  • Little to no awareness training for employees is a major flaw that has to be addressed as part of the incident prevention measures
  • Absence of policies regulating sensitive data transfer within the organizations and unregulated access privileges
  • Insufficient monitoring and email authentication  methods used by the organizations make them easy target for phishing attacks
  • Reluctance to share the valuable details of data breaches with security professionals, thereby making it difficult for the information security industry to come up with more robust security solutions

 According to Proofpoint research only 55% of organizations surveyed in the US have a clear view of their email infrastructure. To avoid spoof email attacks, implementation of email authentication and validation protocols like Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), Domain Based Message Authentication Reporting & Conformance (DMARC) is essential.   However lack of resources and budget constraints—particularly in public institutions—slow down their adoption.

Phishing and Tax Scam Incidents Prevention

Adversaries don’t limit themselves to the tax filing period, their activity is an ongoing process that requires taxpayers to stay alert, as new phishing schemes emerge.

The IRS has formed a security partnership with state tax agencies and tax industry members intended to combat fraudsters. Steps include introduction of a W-2 verification code to ensure authenticity of data on forms submitted on electronically filed individual tax returns. The 16-digit code is going to be an obstacle for scammers in the event that they attempt to file a leaked W-2.

We already discussed the “IRS Refunds”  tax scam exploiting taxpayers urge to resolve the outstanding  issues before the deadline on April 17th. However, criminals who steal users data may use a different type of fraud. That is, after having filed a fraudulent tax return they:

  • Use a bank account belonging to the victim for depositing funds
  • After the funds are in, crooks contact the victim, impersonating the IRS or an agency acting on its behalf, to notify that the deposit was a mistake, prompting the victim to forward the funds to criminals.

IRS is updating the list of scams here as well as the “Dirty Dozen” scams for 2018. Stay up-to-date to avoid being taken advantage of.

Quite often W-2 scams or tax-related identity theft isn’t noticed until the victim is refused a tax return by IRS. Here are some warning signs to look out for:

  • More than one tax return was filed using your SSN.
  • You owe additional tax, refund offset, or have had collection actions taken against you for a year you did not file a tax return.
  • IRS records indicate you received wages or other income from an employer for whom you did not work.

Contact identitytheft.gov in case one of these scenarios applies to you, and consider setting up fraud alert for your credit records.

If you need to report W-2 data loss to IRS, write to dataloss@irs.gov, and use subject “W-2 Data loss.”

In case you spotted a phishing email, report it to IRS via phishing@irs.gov.

IRS phone number for individuals: 800-829-1040. Prior to calling the IRS, see the list of resources you may find helpful and learn what information you need to have ready before calling.

For more details on reporting  tax scam refer to public service announcement (PSA) from the FBI and Internet Crime Complaint Center.