Well, it’s tax season again, which means it’s also W-2 theft season. This year’s phishing ploy is a new variation on one that first appeared last year, and this time the scammers aren’t content with just employee social security numbers; along with businesses, cybercriminals are also targeting schools, hospitals, non-profits, and even tribal organizations.
How It Works
According to the IRS website, here's how this scam plays out: “Cybercriminals use various spoofing techniques to disguise an email to make it appear as if it is from an organization executive. The email is sent to an employee in the payroll or human resources departments, requesting a list of all employees and their Forms W-2.”
To add insult to injury, the cybercriminals are double-dipping this year: after the initial email, they follow up “with an ‘executive’ email to the payroll or comptroller and ask that a wire transfer also be made to a certain account.” As a result, businesses are losing thousands of dollars along with sensitive employee information.
This kind of social engineering is not new, but most organizations are still not prepared to handle this increasingly common attack. And while employees might not believe that they'd fall for a scam like this, it’s important to remember that these are not the kind of typo-ridden emails you’d get from ‘a Nigerian Prince’ - they’re highly-researched, highly-sophisticated and often quite difficult to discern from legitimate emails.
Common tactics include:
- Spoofing emails to appear as though they’re coming from a higher-up in the company
- Including details specific to the company or even the employee, adding legitimacy to the email
- Putting some sort of pressure on the recipient, demanding the information and scaring the victim with fake repercussions if they don't comply immediately
So how do you combat this kind of attack? With clearly defined organizational protocols, training and testing. Criminals get away with these emails when employees are confused or unsure about if and how they should alert a superior. But if you know that there is an established process for distributing sensitive information, and someone is trying to override that, you’ll be more likely to double check before handing over the info.
The IRS has urged those affected by the scam to report these thefts immediately so that the agency can prevent any tax-related identity theft from occurring. They have also provided guidelines for reporting the scam and general principles for staying safe online during tax season.
The Scam In Action
This scam actually happened to a company we know (not a Switchfast client), and it resulted in a ton of trouble for the entire organization.
An email arrived in payroll clerk’s inbox claiming to be from the CEO of the company, asking for all employee W2s for 2015 to be emailed in reply. The address was a gmail.com address, but the payroll clerk complied.
The clerk asked a member of HR to provide the W2s to her, and the person in HR was a temporary worker who did not question the request. The clerk then forwarded the W2 for all employees in the company to the hacker who was posing as the CEO.
The clerk felt something was wrong after she sent the information, but she wasn't sure, and since she had already sent the W2s probably did not want to find out.
Months later, some employees went to file taxes, and were told by the IRS, “Your taxes have already been filed.” By the time they figured out what happened, it was too late.
Needless to say, the company then had to provide their employees and former employees identity protection services, lawyers got involved, and the whole thing became a huge mess to sort out.
What Switchfast Is Doing About It
Social engineering is becoming a huge problem for companies today. Phishing, spoofing, and other means of deception are incredibly powerful threats, but every single one of them can be prevented with the right preparation and training. And that's where we want to help.
The payroll clerk and HR temp who were targeted in this scam complied with the scammer because of uncertainty, which is a social engineer's greatest asset. Through pressure and intimidation, they can coerce people to comply with the most suspicious orders, and the victims don't question it because they don't know what to do in this situation and they're afraid of getting in trouble.
That's why Switchfast is offering cybersecurity training (at nominal cost) for companies that could use help spotting social engineering, and defining processes for handling sensitive information. A well-informed workforce is a secure workforce, and that starts with training. So if your organization could benefit from a crash-course in phishing prevention, follow the link below for more details on our upcoming training seminar. We'll help you prevent this scam - and any other - from getting past your employees.
To learn more about Switchfast's Cybersecurity and PII Training/Certification seminars, click here.
Written by Nik Vargas