New W-2 Phishing Scam Hits Businesses Twice

New W-2 Phishing Scam Hits Businesses Twice

Well, it’s tax season again, which means it’s also W-2 theft season. This year’s phishing ploy is a new variation on one that first appeared last year, and this time the scammers aren’t content with just employee social security numbers; along with businesses, cybercriminals are also targeting schools, hospitals, non-profits, and even tribal organizations.

According to the IRS website, here's how it works: “Cybercriminals use various spoofing techniques to disguise an email to make it appear as if it is from an organization executive. The email is sent to an employee in the payroll or human resources departments, requesting a list of all employees and their Forms W-2.”

To add insult to injury, the cybercriminals are double-dipping this year: after the initial email, they follow up “with an ‘executive’ email to the payroll or comptroller and ask that a wire transfer also be made to a certain account.” As a result, businesses are losing thousands of dollars along with sensitive employee information.

This kind of social engineering is not new, but most organizations are still not prepared to handle this increasingly common attack. Most employees believe that they wouldn’t fall for a scam like this, but it’s important to remember that these are not the kind of typo-ridden emails you’d get from ‘a Nigerian Prince’ - they’re highly-researched, highly-sophisticated and often quite difficult to discern from legitimate emails.

Common tactics include:

  • Spoofing emails to appear as though they’re coming from a higher-up in the company
  • Including details specific to the company or even the employee, adding legitimacy to the email
  • Putting some sort of pressure on the recipient, demanding the information and scaring the victim with fake repercussions if they don't comply immediately

So how do you combat this kind of attack? With clearly defined organizational protocols, training and testing.  Criminals get away with these emails when employees are confused or unsure about if and how they should alert a superior. But if you know that there is an established process for distributing sensitive information, and someone is trying to override that, you’ll be more likely to double check before handing over the info.

The IRS has urged those affected by the scam to report these thefts immediately so that the agency can prevent any tax-related identity theft from occurring. They have also provided guidelines for reporting the scam and general principles for staying safe online during tax season. 

For advice on how to avoid phishing and other attacks, check out our Safe Small Business Guide, and protect yourself from the scams that threaten organizations like yours.

Click here to download the free quide

Written by Luke Robbins