Photo credit: Bank Info Security
In early February, the Internal Revenue Service (IRS) issued an urgent alert to all employers who issue Form W-2 about a dangerous email phishing scheme. To-date, the phishing scheme has affected more than 100 employers and 120,000 employees.
How does the Phishing Scheme Work?
On January 20th, an email from Lynn Jurich, CEO of San Francisco-based solar firm Sunrun, popped up in a payroll department employee’s inbox. The CEO was requesting copies of all employee W-2 forms, which were about to be sent in preparation for tax season. The employee responded quickly as requested, not realizing the W-2 forms were about to be delivered to a cybercriminal. The addresses, social security numbers, and salary information of Sunrun’s nearly 4,000 employees had just been compromised.
By using email spoofing techniques, cybercriminals are able to draft emails that look like they are coming directly from high-level executives at any organization. They send the message to an employee in the payroll or HR department and include a request for a list of individuals at the organization and their W-2 forms. Initially, the information from the W-2s will be used to file fraudulent tax returns and claim refunds. However, once the criminals are done using the W-2s, they will attempt to contact the same individuals within the business they have already compromised to request a wire transfer to an untraceable bank account. By the time anyone is alerted to the fraudulent W-2s or someone figures out it wasn’t actually the CEO or high-level executive contacting them, it’s entirely too late.
Also known as business email compromise (BEC), these attacks have compromised more than 15,000 organizations; costing more than $1 billion over the last three years.
Urgent Alert from the IRS
On February 2, 2018, the IRS issued a statement alerting employers in sectors ranging from school districts to nonprofits, regarding the W-2 scam.
“This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can then use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme,” commented IRS Commissioner John Koskinen.
In the statement, the IRS strongly encourages employers to notify them as soon as a W-2 theft is identified. Since 2016, the IRS, along with state tax agencies and the tax industry have worked together to form the Security Summit. Together, they have enacted numerous safeguards to identify fraudulent returns file through scams. As these safeguards continue to expand, cybercriminals need more data to mimic real tax returns.
The W-2 scam is one of many new variations that have appeared in the past year focusing on the large-scale thefts of personally identifiable information from taxpayers, businesses, and payroll companies. While individual taxpayers were the initial targets of such schemes, cybercriminals have found it to be much more profitable to focus on mass data thefts.
Should you or your employer become a victim of a tax-related scheme, there are steps to take that are crucial to your security. For employers, notify the IRS immediately by sending an email to firstname.lastname@example.org with “W2 Scam” in the subject line. Then, file a complaint with the Internet Crime Complaint Center which is operated by the Federal Bureau of Investigation (FBI). Lastly, employers should also make sure to alert their respective state tax agencies by notifying StateAlert@taxadmin.org. As for employees, review the recommended actions by the Federal Trade Commission here. If the employee’s tax return is rejected because of a duplicate Social Security Number, employees should file a Form 14039, Identity Theft Affidavit.