Over the next few months, you may see a curious email from a top executive surfing through human resources or the payroll department of your company. It might appear friendly and innocent, but it oddly requests that the recipient send employee’s W-2 Forms.
Photo via LifeLock
When you receive a request like from the CEO or any of your employers, it only seems natural to follow through. After all, it's pretty believable than an executive would need this information. But look again.
Don’t be fooled. As tax season gets underway, so does cybercrime, and the above email is just one out of numerous examples of sneaky fraudsters attempting to secure sensitive data through W2 phishing scams.
Phishing attacks occur when cybercriminals create seemingly authentic emails or other forms of communication to extract sensitive information such as social security, bank account or credit card numbers from their victims. The latest threat, however, is more specific and seeks a cornucopia of valuable sensitive data: Form W-2.
Form W-2 is the annual form that every taxpayer receives from their employer announcing how much money they made that year, how much went to tax withholding, and how much went to federal and state taxes. This form, which contains the employee’s social security number, address, and personal information—is filled to the brim with information you don’t want getting into the hands of cybercriminals.
How Hackers Profit from Stolen W-2 Forms
After enticing employees by spear phishing them with what appears to be legitimate emails and gaining bundles of W-2 forms, hackers will use their newfound goodies to file and process fraudulent tax returns. According to TechTarget, “spear-phishing attempts are not typically initiated by random hackers, but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information.” In other words, the culprits behind these email scams are more sophisticated than the average hacker, so don’t think that it couldn’t happen to you.
Even organizations that pledge their expertise on cybersecurity fall under these traps. In an article by Krebs On Security, the cybersecurity company Defense Point Security fell under attack by a W-2 phishing scam in March of 2017. Defense Point was just one of many companies to fall under the lure of these notorious spear phishing emails. Last year alone, organizations such as Marin Software, Sunrun, and Westminster College fell subject to W-2 scammers.
Now, the IRS warns that these email scams are going further, requesting wire transfers in addition to W-2 Forms and even targeting school districts and hospitals. These wire transfer scams can be even more devastating and create a riskier environment for your employees and your organization.
Avoiding Those Hooks
If a phishing scheme has successfully hoodwinked payroll into handing over sensitive documents, the best immediate thing to do is report it to law enforcement, the IRS, and your financial office. Immediacy is key. If the W-2 Forms have been filed or worse, processed, then recovery will take longer.
The best thing to do is prevent a scam before it happens. It can be hard, but it’s definitely possible to avoid the bait, and communication and awareness are the driving factors.
A CEO or other top executive would most likely never request a W-2 Form or related sensitive document over email. Make sure that the source of the email is legitimate by expanding the contact names.
Never click any links in the email. If you want to check their legitimacy, copy the URLs in your browser. Malicious links typically resemble legitimate ones, but are often much longer, and may have giveaways such as a misplaced dot com.
Anti-phishing training for your users is one of the best things you can do to secure your business from information theft.
If, for any reason, W-2 Forms need to be sent or distributed throughout a company, devise a universal strategy for doing so. Employees should understand the protocol for transferring sensitive documents such as W-2 Forms to avoid these email phishing scams.