Endpoint
4/11/2017
02:30 PM
Stu Sjouwerman
Stu Sjouwerman
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Tax Season Surprise: W-2 Fraud

W-2 fraud used to target businesses exclusively but has now set its sights on many other sectors. Here's what you can do to prevent it from happening to you.

Northwestern College, Groton School District in Connecticut, San Marcos City in Texas, Ellwood Thompson's specialty grocery store, Meridian Health Services, Monarch Beverage — what do they have in common? Each has fallen victim to W-2 tax fraud in the last two months.

What was once a scam known for exclusively targeting the corporate world has expanded to other sectors, including school districts, tribal organizations, and nonprofits. W-2 fraudsters show no prejudice — regardless of geographic location, industry, and organization size, we're seeing employees across the spectrum fall victim.

Because W-2 fraud doesn't discriminate, it's become a wildly successful phishing scheme. Here's how it works: malicious actors spoof the CEO or president of a company and email an employee with financial responsibilities (think CFO or department head-level personnel) to request copies of all employees' W-2 forms. The employee, believing that the boss needs this info, falls victim to the fake email, shares confidential information, and sets in motion a daisy chain of events that will damage the company and its employees.

W-2 fraud attacks are particularly dangerous because the fallout has long legs. IRS Commissioner John Koskinen wrote in a statement, "This is one of the most dangerous email phishing scams we've seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns."

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Despite warnings from the IRS in early February, employees continue to fall for the bad guys' social engineering ploys. In fact, the problem is growing in 2017. According to Tamara Powell, a program manager in the IRS wage and investment group, during the 2016 filing season, the IRS found that about 300,000 W-2s were compromised by W-2 scams. Compare that to what we've seen just this year: in January 2017 alone, the IRS found that 300,000 W-2s were compromised. No matter how you do the math, that's an unbelievable year-over-year increase. A compilation of the victims is also available on DataBreaches.net. These are not only huge numbers but massive increases for a problem that's mostly avoidable.

What to Do about W-2 Fraud
While organizations of all sizes and in all industries are at risk, the precautions are the same for everyone. Your IT team and internal security professionals will want to know if the endpoint solutions already in place will prevent W-2 fraud. They won't. The good news is that your team won't need to make another technology investment; it really comes down to educating employees on some basics to better protect your organization:

  • Notify the HR and accounting departments: Your finance and HR teams are the ones that are going to receive the fake emails, so before anything else, warn them there is a strain of CEO fraud asking for W-2s. What should they do if they get an email they think is a phishing email? Tell them to always verify requests like that using something other than email (phone, text, an in-person conversation). Warning these teams immediately may prevent a host of problems.
  • Encourage suspicion: As a security pro, you normally wouldn't ask employees to actively be distrustful in their jobs, but when it comes to W-2 fraud, you want to encourage appropriate teams — finance, accounting, and HR — to run things through a sniff test. If someone in your organization receives an email asking about W-2 forms from literally anyone, alarms should sound. Encourage everyone to pick up the phone and verify that the email was truly sent by the CEO (or other appropriate party).
  • Educate: Read and circulate this link to the IRS site with more tax scams you need to watch out for.
  • Sound the alarm: If you receive a scam, report it. The IRS says organizations that receive a W-2 scam email should forward it to [email protected] and place "W2 Scam" in the subject line. Consider filing form 14039 and request an IP PIN from the government. Form 14039 requires you to state you believe you are likely to be a victim of identity fraud. Even if cybercriminals haven't tried to file a bogus tax return in your name, virtually every American's data has been stolen, which can lead to your identity being stolen. 
  • Watch for follow-up: Cons keep getting bolder and have started combining W-2 fraud with CEO fraud. Tell your accounting and finance teams to watch for a "follow-up" email around the same time from the comptroller or CFO that asks them to conduct a wire transfer to a certain account. The steps are the same here — teach your staff to pick up the phone or have a face-to-face discussion to verify the request before acting on it.
  • Check configurations: A whopping 82% of email servers allow spoofed emails to pass through. Make sure you test this and correctly configure the email servers to not let spoofed domains through. Frameworks such as SPF, DMARC, and DKIM are useful to get this set up correctly.

Although tax season may be coming to a close, phishing schemes aren't slowing down. W-2 fraud is just one of the many tax scams to watch out for; check out 9 Phishing Lures that Could Hijack your 2017 Tax Refund for additional schemes to keep on your employees' radar.

Related Content:

Stu Sjouwerman (pronounced "shower-man") is the founder and CEO of KnowBe4,Inc., which hosts the world's most popular integrated Security Awareness Training and Simulated Phishing platform. A data security expert with more than 30 years in the IT industry, Sjouwerman was the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/11/2017 | 2:53:20 PM
Job Responsibility Awarness
It may take time but these instances could be cut down drastically if scoping of procedural responsibilities was performed during the onboarding process. A quick segment on this is the data you will be handling, these are the authorized entities that will request data, and this is the authorized method of transit. Anything outside of these mechanisms should not be utilized.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.