Phishing, and its more targeted variety spear phishing, are generally used to extract valuable data from organizations or get a foothold on a company network to gain that data continuously—while going unnoticed by network monitoring tools and IT personnel.
It’s not unusual for threat actors to reference current events as a decoy for their phishing campaign. These decoys could be anything, even the grievous events like recent Parkland, Florida school shootings. As reported by KnowBe4 security company, tragedy has triggered a wave of phishing emails that exploit victims’ empathy, requesting donations, help in finding an allegedly missing student, or offering some “inside” content via an attachment. Sadly, scammers have few to any moral restraints and will try to take advantage of any situation, meaning that users have to stay vigilant always.
Here we’ll dive into seasonal W-2 phishing scams that target organizations and individuals during the US tax season. We will discuss the mechanics of these attacks and provide safety tips that will help you to avoid the losses.
How Does Phishing Work?
Email is a prevalent attack vector for spear phishing campaigns, but unlike spam, spear phishing emails are thoroughly crafted and may target specific personnel or employees within the organization—those with access to sensitive data or internal systems (DBs, billing, CRM, etc. )
Threat actors do their homework on victims. They study an organization’s structure and harvest the personal data of employees, including their email addresses.
Adversaries use technical methods to ensure that spoof emails look like they’re coming from a trusted entity within the organization or its partner. In addition, spear phishing actors are using social engineering skills to exploit victims’ emotions such as their sense of urgency, fear, trust, curiosity, and so forth. Phishing email subject lines and content lure unsuspecting users to open an email, visit malicious sites, download malicious attachments, or share sensitive information. Attackers impersonate a company’s high-ranking employees to use their authority as an additional factor influencing the victim and expediting information disclosure. This kind of spear phishing is also known as “whaling.”
As it turns out, this combination of technical methods and social engineering is pretty effective, placing phishing among the top methods for extracting private information. In previous articles, we covered phishing basics and recent developments in the cyber crime landscape that lower the level of entry for those who want to engage in phishing and other forms of cyber crime.
What Is the W-2 Phishing Scheme?
This type of tax-related scam is also known as W-2 phishing, referencing the “Wage and Tax Statement” form that employers use to report wages for employees and their state/federal tax deductions. The information on W-2 forms, provided by employers, is also required for employees in order to calculate their tax returns. Adversaries try their best to harvest the sensitive data contained in W-2 form like SSN, names, addresses, and so on. This data may be used by hackers for identity theft and filing fraudulent tax returns. Additionally, hackers may monetize victims’ personal data by putting it up for sale on dark web marketplaces.
What Is a W-2 Form?
Normally, employers send the W-2 form for the previous tax year to employees by the end of January. This way, employees are granted sufficient time to tally up returns before April 15th, when taxes are due. After employees calculate their yearly taxes, the amount withheld by employer during the year is subtracted from total tax. Each employee can determine whether they’re eligible to file for a tax refund or need to pay extra taxes as the result of the calculation using the W-2 form. Additionally, employers send W-2 copies to the IRS and Social Security Administration. The W-2 form can be filed electronically as well as in paper form.
A History of W-2 Phishing Scams
During the 2016 tax season, W-2 spear phishing scams targeting payroll and HR departments within organizations. Individuals were also sent spoof emails impersonating the IRS and other entities, like tax software vendors, under the pretence of tax return issues or in demand of “confirmation” of personal information. At a certain point during the 2016 season, tax-related scams involving phishing and malware outbreaks skyrocketed by more than 400%. The IRS followed up with an updated notice and security guidelines. According to the IRS, halfway through the 2016 tax season the number of reported episodes topped 2014 and continued growing on a monthly basis:
- There were 1,026 incidents reported in January, up 254 from a year earlier.
- The trend continued in February, nearly doubling the reported number of incidents compared to a year previous. In all, 363 incidents were reported from Feb. 1-16, compared to 201 incidents reported for the entire month of February 2015.
- February 2016’s 1,389 incidents topped the 2014 yearly total of 1,361 and was halfway to matching the 2015 total of 2,748.
(Numbers provided are for phishing and malware incidents combined.)— IR-2016-28, Feb. 18, 2016. IRS consumer alert
In 2017 even more threat actors were seeking to steal personal data and money from the taxpayers. Scammers continued perfecting their social engineering techniques for data theft. Phishing attacks led to dropping malware on computers or tricking users into visiting fake sites that mimic government tax agencies and other entities to steal victims’ login data.
“These email schemes continue to evolve and can fool even the most cautious person. Email messages can look like they come from the IRS or others in the tax community.T Taxpayers should avoid opening surprise emails or clicking on web links claiming to be from the IRS. Don’t be fooled by unexpected emails about big refunds, tax bills, or requesting personal information. That’s not how the IRS communicates with taxpayers.”—IRS Commissioner John Koskinen
By 2017 tax season, W-2 fraud had evolved: the attack surface increased as hackers extended their target list to organizations in healthcare, education, small business, industry, and others. In 2017, the total number of US organizations that suffered employee data breach due to W-2 phishing was 204, a 16% growth compared to 2016. Steve Ragan from Csoonline writes that at least 120,000 employees have fallen victim to identity theft following W-2 phishing attacks in 2017.
Moreover, adversaries haven’t limited themselves solely to data extraction and fraudulent tax return filings. Scammers have begun requesting funds to be transferred into their accounts if spoof W-2 requests go well. Consequently, some companies have ended up being scammed twice—for employees’ data and money.
The same spear phishing/CEO-impersonation technique has been used to create yet another revenue stream for cyber crooks with no extra effort. According to the FBI, global losses caused by fraudulent wire transfers are near $3.1 billion since monitoring started in October 2013. According to the FBI’s numbers, in 2017, a total of $33 million across only four states in New England.
The Three Steps in Typical Organizational W-2 Phishing Attack
Step 1. After investigating an organization, criminals create a spoof email, modifying it to look like it’s coming from a sender within the company. To do so, they may register a lookalike domain that closely resembles that of organization. For example, if the real domain is bigcompany.com, attackers may send emails from biqcompany.com domain. The slight difference is hard to spot at a glance. Usually the sender they impersonate is a person of authority, like a CEO or other high-ranking employee. This kind of spear phishing is also known as BEC—business email compromise.
Step 2. The spoofed email is sent to an employee in the HR, payroll, or accounting departments. At first glance, the emails are benign. Attackers impersonating the CEO may even start a conversation with some trivial questions. Remember, they do their homework and know a few things about the targeted employee from researching their Facebook profile and so on. Targeted employees are more likely to send sensitive information if the scammers use small talk to build up trust. In other cases, attackers proceed straight to the point. Here are some typical messages that they use, based on the phishing cases reported to IRS:
- “Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all the W-2s of our company staff for a quick review.”
- “Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary)?”
- “I want you to send me a list of W-2 copies for employees’ wage and tax statements for 2015. I need them in PDFs. You can send it as an attachment. Kindly prepare the lists and email them to me ASAP.”
It’s nothing too complicated, right?
Step 3. Once the employee sends the W-2 information, adversaries may follow up with request for wire transfer to be made to certain account, another popular tactic that is used in conjunction with W-2 spear phishing.
Optionally, hackers may also include links to spoofed websites or malware-laden attachments to an email to steal credentials and data, but in many cases social engineering tactics are sufficient for criminals.
Tamara Powell, director of the IRS Return Integrity Compliance Services, pointed out that criminals are very bold, mentioning a case when a criminal didn’t like a format of W-2 records, asking the employee to resend the info in a different format, which the employee did.
Phishing Safety Measures for the 2018 Tax Season
2018 tax season is in full swing, and we’re going to see more W-2 phishing and wire transfer scams. Fraudsters are likely to make organizations their priority targets with an emphasis on HR, finance, and payroll employees as sources of valuable information. In fact, there are already 18 organizations on the 2018 W-2 Phishing/BEC Victims List.
The FBI published a 2018 PSA on actions that should be taken in case an organization encounters or suffers from a tax-related phishing incident. Some of them are listed below.
Continuous and regular employee training is one of the primary measures that can minimize the risks of W-2 data theft. Additionally, organizations should establish a policy on handling/storing sensitive data as well as limit the number of employees that have access to it.
Employees should be taught to spot phishing emails, calls, and other forms of communications. Since BEC attacks are relying on social engineering techniques, data handling policy within organizations should include a mechanism for additional verification of requests, like confirming incoming email requests directly with the sender via phone call. Employees should report scam emails to the IRS via firstname.lastname@example.org, according to following instructions from IRS:
- The email headers should be provided in plain ASCII text format. Do not print and scan.
- Save the phishing email as an email file on your computer desktop.
- Open your email and attach the phishing email file you previously saved.
- Send your email containing the attached phishing email file to email@example.com. Subject line: W-2 Scam.
- Do not attach any sensitive data such as employee SSNs or W-2s.
- File a complaint with the Internet Crime Complaint Center (IC3) at www.ic3.gov.
In case the organization suffers a data loss, it should be reported to IRS via firstname.lastname@example.org with “W-2 Data Loss” subject. If the report is filed fast enough, the IRS may take measures to reduce the damage and secure employees from identity theft and fraudulent tax returns filings. The following information must be provided:
- Business name
- Business employer identification number (EIN) associated with the data loss
- Contact name
- Contact phone number
- Summary of how the data loss occurred
- Volume of employees affected
Additionally, organizations may file reports to the FBI’s Internet Crime Complaint Centre at www.ic3.gov.
The IRS and state revenue departments have started the Taxes.Security.Together campaign to educate taxpayers about the risks and threats to their personal and financial data. Familiarize yourself with the guidelines for taxpayers and organizations compiled by IRS, explaining how to identify IRS-related phishing and online scam scenarios. Security for Taxpayers is an additional memo from the IRS with condensed guidelines on identity theft prevention.
Technical Measures for W-2 Phishing Scam Prevention
At the same time, IT departments should implement email validation and authentication mechanisms, like a Sender Policy Framework, against email spoofing as well as Domain Keys Identified Mail that allows senders to “sign” their messages with a digital signature. It allows verification that the email is actually coming from the listed domain and hasn’t been tampered with. Secure email gateways paired with network monitoring and security tools should be deployed as well, since phishing emails may carry malicious payloads attachments. It is important to remember that endpoint protection alone is not be enough.