Endpoint

4/11/2017
02:30 PM
Stu Sjouwerman
Stu Sjouwerman
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Tax Season Surprise: W-2 Fraud

W-2 fraud used to target businesses exclusively but has now set its sights on many other sectors. Here's what you can do to prevent it from happening to you.

Northwestern College, Groton School District in Connecticut, San Marcos City in Texas, Ellwood Thompson's specialty grocery store, Meridian Health Services, Monarch Beverage — what do they have in common? Each has fallen victim to W-2 tax fraud in the last two months.

What was once a scam known for exclusively targeting the corporate world has expanded to other sectors, including school districts, tribal organizations, and nonprofits. W-2 fraudsters show no prejudice — regardless of geographic location, industry, and organization size, we're seeing employees across the spectrum fall victim.

Because W-2 fraud doesn't discriminate, it's become a wildly successful phishing scheme. Here's how it works: malicious actors spoof the CEO or president of a company and email an employee with financial responsibilities (think CFO or department head-level personnel) to request copies of all employees' W-2 forms. The employee, believing that the boss needs this info, falls victim to the fake email, shares confidential information, and sets in motion a daisy chain of events that will damage the company and its employees.

W-2 fraud attacks are particularly dangerous because the fallout has long legs. IRS Commissioner John Koskinen wrote in a statement, "This is one of the most dangerous email phishing scams we've seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns."

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Despite warnings from the IRS in early February, employees continue to fall for the bad guys' social engineering ploys. In fact, the problem is growing in 2017. According to Tamara Powell, a program manager in the IRS wage and investment group, during the 2016 filing season, the IRS found that about 300,000 W-2s were compromised by W-2 scams. Compare that to what we've seen just this year: in January 2017 alone, the IRS found that 300,000 W-2s were compromised. No matter how you do the math, that's an unbelievable year-over-year increase. A compilation of the victims is also available on DataBreaches.net. These are not only huge numbers but massive increases for a problem that's mostly avoidable.

What to Do about W-2 Fraud
While organizations of all sizes and in all industries are at risk, the precautions are the same for everyone. Your IT team and internal security professionals will want to know if the endpoint solutions already in place will prevent W-2 fraud. They won't. The good news is that your team won't need to make another technology investment; it really comes down to educating employees on some basics to better protect your organization:

  • Notify the HR and accounting departments: Your finance and HR teams are the ones that are going to receive the fake emails, so before anything else, warn them there is a strain of CEO fraud asking for W-2s. What should they do if they get an email they think is a phishing email? Tell them to always verify requests like that using something other than email (phone, text, an in-person conversation). Warning these teams immediately may prevent a host of problems.
  • Encourage suspicion: As a security pro, you normally wouldn't ask employees to actively be distrustful in their jobs, but when it comes to W-2 fraud, you want to encourage appropriate teams — finance, accounting, and HR — to run things through a sniff test. If someone in your organization receives an email asking about W-2 forms from literally anyone, alarms should sound. Encourage everyone to pick up the phone and verify that the email was truly sent by the CEO (or other appropriate party).
  • Educate: Read and circulate this link to the IRS site with more tax scams you need to watch out for.
  • Sound the alarm: If you receive a scam, report it. The IRS says organizations that receive a W-2 scam email should forward it to [email protected] and place "W2 Scam" in the subject line. Consider filing form 14039 and request an IP PIN from the government. Form 14039 requires you to state you believe you are likely to be a victim of identity fraud. Even if cybercriminals haven't tried to file a bogus tax return in your name, virtually every American's data has been stolen, which can lead to your identity being stolen. 
  • Watch for follow-up: Cons keep getting bolder and have started combining W-2 fraud with CEO fraud. Tell your accounting and finance teams to watch for a "follow-up" email around the same time from the comptroller or CFO that asks them to conduct a wire transfer to a certain account. The steps are the same here — teach your staff to pick up the phone or have a face-to-face discussion to verify the request before acting on it.
  • Check configurations: A whopping 82% of email servers allow spoofed emails to pass through. Make sure you test this and correctly configure the email servers to not let spoofed domains through. Frameworks such as SPF, DMARC, and DKIM are useful to get this set up correctly.

Although tax season may be coming to a close, phishing schemes aren't slowing down. W-2 fraud is just one of the many tax scams to watch out for; check out 9 Phishing Lures that Could Hijack your 2017 Tax Refund for additional schemes to keep on your employees' radar.

Related Content:

Stu Sjouwerman (pronounced "shower-man") is the founder and CEO of KnowBe4,Inc., which hosts the world's most popular integrated Security Awareness Training and Simulated Phishing platform. A data security expert with more than 30 years in the IT industry, Sjouwerman was the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/11/2017 | 2:53:20 PM
Job Responsibility Awarness
It may take time but these instances could be cut down drastically if scoping of procedural responsibilities was performed during the onboarding process. A quick segment on this is the data you will be handling, these are the authorized entities that will request data, and this is the authorized method of transit. Anything outside of these mechanisms should not be utilized.
Cybersecurity's 'Broken' Hiring Process
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/11/2017
How Systematic Lying Can Improve Your Security
Lance Cottrell, Chief Scientist, Ntrepid,  10/11/2017
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.