Northwestern College, Groton School District in Connecticut, San Marcos City in Texas, Ellwood Thompson's specialty grocery store, Meridian Health Services, Monarch Beverage — what do they have in common? Each has fallen victim to W-2 tax fraud in the last two months.
What was once a scam known for exclusively targeting the corporate world has expanded to other sectors, including school districts, tribal organizations, and nonprofits. W-2 fraudsters show no prejudice — regardless of geographic location, industry, and organization size, we're seeing employees across the spectrum fall victim.
Because W-2 fraud doesn't discriminate, it's become a wildly successful phishing scheme. Here's how it works: malicious actors spoof the CEO or president of a company and email an employee with financial responsibilities (think CFO or department head-level personnel) to request copies of all employees' W-2 forms. The employee, believing that the boss needs this info, falls victim to the fake email, shares confidential information, and sets in motion a daisy chain of events that will damage the company and its employees.
W-2 fraud attacks are particularly dangerous because the fallout has long legs. IRS Commissioner John Koskinen wrote in a statement, "This is one of the most dangerous email phishing scams we've seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns."
[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]
Despite warnings from the IRS in early February, employees continue to fall for the bad guys' social engineering ploys. In fact, the problem is growing in 2017. According to Tamara Powell, a program manager in the IRS wage and investment group, during the 2016 filing season, the IRS found that about 300,000 W-2s were compromised by W-2 scams. Compare that to what we've seen just this year: in January 2017 alone, the IRS found that 300,000 W-2s were compromised. No matter how you do the math, that's an unbelievable year-over-year increase. A compilation of the victims is also available on DataBreaches.net. These are not only huge numbers but massive increases for a problem that's mostly avoidable.
What to Do about W-2 Fraud
While organizations of all sizes and in all industries are at risk, the precautions are the same for everyone. Your IT team and internal security professionals will want to know if the endpoint solutions already in place will prevent W-2 fraud. They won't. The good news is that your team won't need to make another technology investment; it really comes down to educating employees on some basics to better protect your organization:
- Notify the HR and accounting departments: Your finance and HR teams are the ones that are going to receive the fake emails, so before anything else, warn them there is a strain of CEO fraud asking for W-2s. What should they do if they get an email they think is a phishing email? Tell them to always verify requests like that using something other than email (phone, text, an in-person conversation). Warning these teams immediately may prevent a host of problems.
- Encourage suspicion: As a security pro, you normally wouldn't ask employees to actively be distrustful in their jobs, but when it comes to W-2 fraud, you want to encourage appropriate teams — finance, accounting, and HR — to run things through a sniff test. If someone in your organization receives an email asking about W-2 forms from literally anyone, alarms should sound. Encourage everyone to pick up the phone and verify that the email was truly sent by the CEO (or other appropriate party).
- Educate: Read and circulate this link to the IRS site with more tax scams you need to watch out for.
- Sound the alarm: If you receive a scam, report it. The IRS says organizations that receive a W-2 scam email should forward it to [email protected] and place "W2 Scam" in the subject line. Consider filing form 14039 and request an IP PIN from the government. Form 14039 requires you to state you believe you are likely to be a victim of identity fraud. Even if cybercriminals haven't tried to file a bogus tax return in your name, virtually every American's data has been stolen, which can lead to your identity being stolen.
- Watch for follow-up: Cons keep getting bolder and have started combining W-2 fraud with CEO fraud. Tell your accounting and finance teams to watch for a "follow-up" email around the same time from the comptroller or CFO that asks them to conduct a wire transfer to a certain account. The steps are the same here — teach your staff to pick up the phone or have a face-to-face discussion to verify the request before acting on it.
- Check configurations: A whopping 82% of email servers allow spoofed emails to pass through. Make sure you test this and correctly configure the email servers to not let spoofed domains through. Frameworks such as SPF, DMARC, and DKIM are useful to get this set up correctly.
Although tax season may be coming to a close, phishing schemes aren't slowing down. W-2 fraud is just one of the many tax scams to watch out for; check out 9 Phishing Lures that Could Hijack your 2017 Tax Refund for additional schemes to keep on your employees' radar.