IRS: Watch Out For Evolved W-2 Phishing Scams

The IRS issued an “urgent” alert recently, warning consumers that the W-2 phishing scam that first appeared last year has now evolved beyond the corporate world to target schools, restaurants, hospitals, tribal groups and others. The scams are happening earlier this year as well.  

“This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme,’’ said IRS Commissioner John Koskinen in a release posted on the IRS website on Feb. 2, 2017.

Related to this, the scammers are also using an older wire transfer scheme that has left some organizations victimized twice.

The release explains how the scam works:

“Cybercriminals use various spoofing techniques to disguise an email to make it appear as if it is from an organization executive. The email is sent to an employee in the payroll or human resources departments, requesting a list of all employees and their Forms W-2. This scam is sometimes referred to as business email compromise (BEC) or business email spoofing (BES).”

This is often the impetus for tax identity theft and tax refund fraud, which affects hundreds of thousands of U.S. citizens each year. The IRS paid out $3.1 billion in fake refunds in 2014 (though it estimates it did prevent $22.5 billion in attempted identity-theft tax fraud). Read more in our blog post about tax identity theft.

Piggybacked on the W-2 scam, the emboldened cybercriminals then follow up with an email to the payroll or comptroller asking for a wire transfer to be made.

“Although not tax related, the wire transfer scam is being coupled with the W-2 scam email, and some companies have lost both employees’ W-2s and thousands of dollars due to wire transfers,” according to the release.”

 

The Victims

According to this KrebsonSecurity story, prominent W-2 phishing scam victims include Seagate Technology, Moneytree, Sprouts Farmer’s Market and EWTN Global Catholic Network.

The comments on the KrebsonSecurity story are fascinating as well, with folks sharing their personal stories of what’s happened to them:

User Mike shared his story on Feb. 2, 2017 at 11:38 p.m.: “We started receiving more sophisticated CEO fraud attempts at our accounting department recently. What was most alarming about these recent attempts is that the scammers registered domain names very close to ours but with the .co TLD (TLD for Colombia). They were then sending us email coming from @ourdomain.co which looked very very close to @ourdomain.com and made it through Spam filters. Definitely a first for me!”

And user Beeker commented on Feb. 4, 2017 at 8:54 p.m.: “I’ve heard such tricks. My former company almost became a victim of such scam. Luckily,the AP head flagged that one simply they requested a wire to another bank that is different from what was on our file. She did the proper protocol by requesting a letter with company head and signed by an officer of the company. That foiled them. They tried it again within a day and it failed. Funny thing was the scammer was in South Korea impersonating a company in China.”

So what do the cyberthieves do with the all the W-2s once they get them? They turn around and sell them for between $4 and $20 each on the Dark Web.

 

Steps Employers Can Take

The IRS shares some tips on steps employers can take if they see the scam:

Organizations receiving a W-2 scam email should forward it to phishing@irs.gov and place “W2 Scam” in the subject line. Organizations that receive the scams or fall victim to them should file a complaint with the Internet Crime Complaint Center (IC3,) operated by the Federal Bureau of Investigation.

Employees whose Forms W-2 have been stolen should review the recommended actions by the Federal Trade Commission at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft.

Employees should file a Form 14039, Identity Theft Affidavit, if the employee’s own tax return rejects because of a duplicate Social Security number or if instructed to do so by the IRS.

 

Are you covered for identity theft?
Get Covered

Image: Pexels