Endpoint

4/11/2017
02:30 PM
Stu Sjouwerman
Stu Sjouwerman
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Tax Season Surprise: W-2 Fraud

W-2 fraud used to target businesses exclusively but has now set its sights on many other sectors. Here's what you can do to prevent it from happening to you.

Northwestern College, Groton School District in Connecticut, San Marcos City in Texas, Ellwood Thompson's specialty grocery store, Meridian Health Services, Monarch Beverage — what do they have in common? Each has fallen victim to W-2 tax fraud in the last two months.

What was once a scam known for exclusively targeting the corporate world has expanded to other sectors, including school districts, tribal organizations, and nonprofits. W-2 fraudsters show no prejudice — regardless of geographic location, industry, and organization size, we're seeing employees across the spectrum fall victim.

Because W-2 fraud doesn't discriminate, it's become a wildly successful phishing scheme. Here's how it works: malicious actors spoof the CEO or president of a company and email an employee with financial responsibilities (think CFO or department head-level personnel) to request copies of all employees' W-2 forms. The employee, believing that the boss needs this info, falls victim to the fake email, shares confidential information, and sets in motion a daisy chain of events that will damage the company and its employees.

W-2 fraud attacks are particularly dangerous because the fallout has long legs. IRS Commissioner John Koskinen wrote in a statement, "This is one of the most dangerous email phishing scams we've seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns."

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Despite warnings from the IRS in early February, employees continue to fall for the bad guys' social engineering ploys. In fact, the problem is growing in 2017. According to Tamara Powell, a program manager in the IRS wage and investment group, during the 2016 filing season, the IRS found that about 300,000 W-2s were compromised by W-2 scams. Compare that to what we've seen just this year: in January 2017 alone, the IRS found that 300,000 W-2s were compromised. No matter how you do the math, that's an unbelievable year-over-year increase. A compilation of the victims is also available on DataBreaches.net. These are not only huge numbers but massive increases for a problem that's mostly avoidable.

What to Do about W-2 Fraud
While organizations of all sizes and in all industries are at risk, the precautions are the same for everyone. Your IT team and internal security professionals will want to know if the endpoint solutions already in place will prevent W-2 fraud. They won't. The good news is that your team won't need to make another technology investment; it really comes down to educating employees on some basics to better protect your organization:

  • Notify the HR and accounting departments: Your finance and HR teams are the ones that are going to receive the fake emails, so before anything else, warn them there is a strain of CEO fraud asking for W-2s. What should they do if they get an email they think is a phishing email? Tell them to always verify requests like that using something other than email (phone, text, an in-person conversation). Warning these teams immediately may prevent a host of problems.
  • Encourage suspicion: As a security pro, you normally wouldn't ask employees to actively be distrustful in their jobs, but when it comes to W-2 fraud, you want to encourage appropriate teams — finance, accounting, and HR — to run things through a sniff test. If someone in your organization receives an email asking about W-2 forms from literally anyone, alarms should sound. Encourage everyone to pick up the phone and verify that the email was truly sent by the CEO (or other appropriate party).
  • Educate: Read and circulate this link to the IRS site with more tax scams you need to watch out for.
  • Sound the alarm: If you receive a scam, report it. The IRS says organizations that receive a W-2 scam email should forward it to [email protected] and place "W2 Scam" in the subject line. Consider filing form 14039 and request an IP PIN from the government. Form 14039 requires you to state you believe you are likely to be a victim of identity fraud. Even if cybercriminals haven't tried to file a bogus tax return in your name, virtually every American's data has been stolen, which can lead to your identity being stolen. 
  • Watch for follow-up: Cons keep getting bolder and have started combining W-2 fraud with CEO fraud. Tell your accounting and finance teams to watch for a "follow-up" email around the same time from the comptroller or CFO that asks them to conduct a wire transfer to a certain account. The steps are the same here — teach your staff to pick up the phone or have a face-to-face discussion to verify the request before acting on it.
  • Check configurations: A whopping 82% of email servers allow spoofed emails to pass through. Make sure you test this and correctly configure the email servers to not let spoofed domains through. Frameworks such as SPF, DMARC, and DKIM are useful to get this set up correctly.

Although tax season may be coming to a close, phishing schemes aren't slowing down. W-2 fraud is just one of the many tax scams to watch out for; check out 9 Phishing Lures that Could Hijack your 2017 Tax Refund for additional schemes to keep on your employees' radar.

Related Content:

Stu Sjouwerman (pronounced "shower-man") is the founder and CEO of KnowBe4,Inc., which hosts the world's most popular integrated Security Awareness Training and Simulated Phishing platform. A data security expert with more than 30 years in the IT industry, Sjouwerman was the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/11/2017 | 2:53:20 PM
Job Responsibility Awarness
It may take time but these instances could be cut down drastically if scoping of procedural responsibilities was performed during the onboarding process. A quick segment on this is the data you will be handling, these are the authorized entities that will request data, and this is the authorized method of transit. Anything outside of these mechanisms should not be utilized.
More Than Half of Users Reuse Passwords
Curtis Franklin Jr., Senior Editor at Dark Reading,  5/24/2018
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11505
PUBLISHED: 2018-05-26
The Werewolf Online application 0.8.8 for Android allows attackers to discover the Firebase token by reading logcat output.
CVE-2018-6409
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. The module in charge of serving stored files gets the path from the database. Modifying the name of the file to serve on the corresponding ap_form table leads to a path traversal vulnerability via the download.php q parameter.
CVE-2018-6410
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. There is a download.php SQL injection via the q parameter.
CVE-2018-6411
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. When the form is set to filter a blacklist, it automatically adds dangerous extensions to the filters. If the filter is set to a whitelist, the dangerous extensions can be bypassed through ap_form_elements SQL Injection.
CVE-2018-11500
PUBLISHED: 2018-05-26
An issue was discovered in PublicCMS V4.0.20180210. There is a CSRF vulnerability in "admin/sysUser/save.do?callbackType=closeCurrent&navTabId=sysUser/list" that can add an admin account.