ARTICLE
23 January 2018

A New Tax Season, But The Same W-2 Spear Phishing Scam

B
BakerHostetler

Contributor

BakerHostetler logo
Recognized as one of the top firms for client service, BakerHostetler is a leading national law firm that helps clients around the world address their most complex and critical business and regulatory issues. With five core national practice groups — Business, Labor and Employment, Intellectual Property, Litigation, and Tax — the firm has more than 970 lawyers located in 14 offices coast to coast. BakerHostetler is widely regarded as having one of the country’s top 10 tax practices, a nationally recognized litigation practice, an award-winning data privacy practice and an industry-leading business practice. The firm is also recognized internationally for its groundbreaking work recovering more than $13 billion in the Madoff Recovery Initiative, representing the SIPA Trustee for the liquidation of Bernard L. Madoff Investment Securities LLC. Visit bakerlaw.com
Explore
According to the IRS, the IRS saw the number of businesses, public schools, universities, tribal governments and nonprofits victimized by W-2 scams increase to 200 in 2017 from 50 in 2016.
United States Criminal Law
Photo of David E. Kitchen
Photo of David Brown
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

According to the IRS, the IRS saw the number of businesses, public schools, universities, tribal governments and nonprofits victimized by W-2 scams increase to 200 in 2017 from 50 in 2016. Those 200 victims translated into several hundred thousand employees whose sensitive data was stolen. In some cases, the criminals requested both the W-2 information and a wire transfer. Once the scammers obtain copies of W-2s, they can move quickly to file fraudulent tax returns that could mirror the actual income received by employees – making the fraud more difficult to detect.

The W-2 scams often begin with a "spoofing" email that appears to be sent by a company's CEO or CFO to one or more employees in human resources or payroll or an executive assistant. Some cybercriminals specifically target these emails at times when the executive may be traveling, the business may be urgently preparing tax statements or other periods when employees are more likely to be caught off guard. Cybercriminals attempt to trick the employees into disclosing employee names, Social Security numbers and income information. The criminals then attempt to file fraudulent tax returns for tax refunds. Here is an example.

________________________________________________________________________

From:               Heather.Smith@company.com

To:                   Steve.Adams@company.com

Subject:           Treat as Urgent

Date:               February 20, 2018 10:55 AM

________________________________________________________________________

Hi, Steve,

I need copies of all employees' W-2 wage and tax statements for 2017 to complete a business transaction. I need them in PDF format. Please send them as an attachment as soon as you can.

Regards,

Heather

________________________________________________________________________

The email appears to be a completely legitimate request from a legitimate email address, but in reality the email is from someone entirely different and has the "REPLY TO" field (which is typically hidden from the end user) set to an email address controlled by the criminal; for example, ceo@mail.com. The email headers would show this. Other variations on the content of the W-2 scam requests can be found in the IRS' alert on the topic issued Jan. 25, 2017.

We expect W-2 scams to continue to rise because of (1) the success attackers had in the past several years; (2) the increase in activity year over year; (3) the time and effort it takes to send targeted emails to employees across industries, which is significantly less than the effort it takes to infiltrate a network; and (4) the low cost to enter the market as an entry-level criminal conducting W-2 scams. The IRS will likely issue further alerts as the tax season gets underway.

In order to prepare for the upcoming tax season, companies can focus on some of the following best practices:

  • Re-educate all employees about phishing in general and spear phishing in particular.
  • Never take an email from an ostensibly familiar source at face value; for example, an email from the CEO or an HR executive. If it asks you to open a link or an attachment, think twice.
  • If an email contains a link, hover your cursor over the link to see the web address (URL) destination. If it's not a URL you recognize or if it's an abbreviated URL, don't open it.
  • Consider a verbal confirmation by phone during tax season if you receive an email requesting copies of W-2s.
  • Be cautious of verification via instant messaging (IM), as an attacker with access to an email account may also have access to IM.

Bottom line, payroll officials should double-check any executive-level or unusual requests for copies of W-2s. You can review a compilation of IRS alerts as well as further information on how to avoid tax fraud in general on the IRS' website.

2018 BakerHostetler Data Security Incident Response Report

Our annual data security incident response report, which provides an in-depth look at cybersecurity trends, will be released soon. Get your complimentary copy by signing up for our mailing list.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.

Authors
Photo of David E. Kitchen
David E. Kitchen
Photo of David Brown
David Brown
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More