Posted on 02.23.17
John DeMarzo, Risk Advisory Services Associate
It's tax season, and that means a specific type of fraud is spreading like a cold through a pre-school. It’s called W-2 fraud, and it involves a scammer sending a tricky, “phishing” e-mail to someone working at a company to try to get them to send employee W-2 data to the scammer.
Subject: Quick Favor
Hi Joe, would you kindly send me the individual 2016 W-2 and earnings summary for all of our staff? I am performing a routine review for the Board. I need to have it to them by the end of the day. So please put this at the top of your list.
(804)555-5555 – YourCompany.com
In this example, someone impersonating the CEO is sending what looks like a seemingly routine request to a payroll clerk. For those watching closely, you will see the domain in the “from address” is different from the real company domain, by only one letter. Additionally, the phisher is exploiting the CEO’s position of authority and fabricating a time constraint, both of which are social engineering techniques to convince the recipient to stop thinking critically and begin acting. Before you know what happened, the data is out the door and into the hands of the thief.
What happens to the data?
With this private data, the phisher could file fraudulent tax returns to steal the associated refunds. Or the data could be used to obtain a credit card or another loan in the victim’s name.
Some phishers looking for a quick payday simply sell the W-2 tax forms on the “dark web,” where any identity thief --- for the Bitcoin equivalent of between $4 and $20 --- can access a person’s name, address, SSN, and other highly sensitive information.
“If your CEO appears to be e-mailing you for a list of company employees, check it out before you respond,” IRS Commissioner John Koskinen stated in an IRS news filing last March. “Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”
According to Krebs on Security, these phishers are expanding their targets to include school districts, healthcare organizations, chain restaurants, temporary staffing agencies, tribal organizations, and non-profits.
In addition to the W-2 fraud, phishers are also executing the “CEO fraud,” in which an e-mail is sent to the company’s controller requesting that a wire payment be made to a certain account.
“Although not tax-related, the wire transfer scam is being coupled with the W-2 scam e-mail, and some companies have lost both employees’ W-2’s and thousands of dollars,” Koskinen said, according to Krebs on Security.
Last June, the FBI estimated that phishers had stolen over $3 billion from more than 22,000 victims using a combination of these scams.
How can you prevent your company from being victimized by a phishing attack? Here are just a few tips:
|1. Security Awareness Training.
“There is no such thing as perfect security” is just another way of saying that sooner or later, your employees will be the target of an attack. When they are, they need to be informed and motivated to identify these scams. You will typically see three flavors of training:
2. Use advanced data scanning appliances.
Advanced data scanning appliances are able to help prevent employees from sending personally identifiable information outside the organization.
3. Check e-mails carefully.
If you feel that you have received suspicious e-mail, do not open it. Alert your IT staff and they can investigate.
Access our additional cybersecurity updates and informational articles.