During the first few months of the COVID-19 pandemic, cyber-criminals introduced companies to an assortment of clever phishing attacks that exploited the chaos—from emails with hyperlinks disguised as Center for Disease Control (CDC) guidance to text messages offering purported COVID-19 cures, these attacks siphoned at least $12 million from Americans between January and April 2020, according to the Federal Trade Commission (FTC). With tax filing season now approaching, cyber-criminals are turning to W-2-based business email compromises. Below, Ice Miller’s Data Security and Privacy team describes W-2 scams and provides security tips for protecting your company as the extended federal tax deadline (July 15, 2020) draws near.

What Does a W-2-based Business Email Compromise Look Like?

In a W-2 scam, cyber-criminals typically impersonate an executive of the company and make an urgent request via email, such as asking for all employee W-2 forms or other tax-related documents containing employee personal information. Here is a real-life example received by an Ice Miller client:

Such an email is usually sent to someone with access to employee tax documents, such as a human resources or accounting employee. To make the request more legitimate, cyber-criminals may “spoof” (imitate) a company’s email domain, such as “[email protected]”.

Because W-2s contain Social Security Numbers and other personal information, as well as wages, withheld taxes, and other data, cyber-criminals can either submit a false tax refund in an employee’s name, or they might sell this valuable information to identity thieves on the dark web. Either scenario presents financial and reputational risks for companies who fall victim to a W-2 scam.

How Can You Protect Against a W-2 Scam?

Our team frequently advises clients on data security solutions that can help protect your company from a W-2-based business email compromise. The transition to remote working made in response to the pandemic has elevated the challenge for spotting fake emails or other social engineering types of attacks, which often rely on confusion or misdirection. Here are five tips your company should consider to address the rebirth of W-2 scams, particularly if your employees are working remotely.

  1. Verify the Request By Phone or Secure Communication. Even if your employees are working remotely, verifying the request is one of the basic and most reliable ways to protect against W-2 scams. Recipients can either call the requesting person to ask if he or she meant to request all employee W-2s, or they can also use a secure communication platform—such as Slack, Signal, or Wickr messaging applications (which are end-to-end encrypted) to speak with the requesting person.
  2. Deploy Domain Message Authentication Reporting and Conformance (DMARC) Authentication. DMARC authentication is an email protocol that helps prevent cyber-criminals from spoofing a company’s domain. This authentication method typically provides reports that analyze all systems used to send email from your company’s domain and identify which emails are legitimate. Based on these reports, your company can reconfigure email settings to recognize those emails flagged as illegitimate. DMARC authentication also screens emails based on reconfigured settings and automatically rejects emails that do not conform to the settings so your employees never see the illegitimate email.
  3. Revisit Data Loss Prevention Policies and Mechanisms. Many companies already have in place Data Loss Prevention (DLP) policies and mechanisms that govern what data can be sent via email. DLP policies impose conditions on shareable content and implement actions that automatically apply to certain information or locations. By properly configuring your company’s DLP policy, you can prevent an employee from sending an email that contains sensitive financial data or otherwise personally identifiable information. For example, in Microsoft Office 365, DLP policies can be adjusted to identify this information across several locations, such as Exchange, SharePoint, OneDrive, and Microsoft Teams. DLP policies can also send automatic email notifications and policy tips to train an employee who attempted to violate the policy.
  4. Simulated W-2 Scams. In-person training may be infeasible for many employees right now, but that does not mean your company cannot monitor how employees respond to suspicious emails. Consider using simulated W-2 attacks to identify employees who consistently respond to emails from spoofed domains or to emails that contain awkward phrasing or poor grammar (both of which are hallmarks of W-2 scams). One approach is to send “test” emails to employees from our security professionals posing as partners or executives requesting urgent assistance with a project, and we often assist our clients with developing similar simulations for employees.
  5. Ensure Employee Accounts (and Devices!) are Protected. Employee credentials are at increased risk of theft in remote working environments, and a W-2 business email compromise is even more effective if the request comes from an employee’s actual email address and not a spoofed domain from an imposter. For many, shifting to a remote working environment pulls them out from under the protection of in-office network and device protection. Consider surveying your employees to determine who is connected to your company’s Virtual Private Network (VPN). You may also consider providing training for securing home networks (such as changing default Wi-Fi passwords and router passwords and disabling Remote Administration Access to routers) by videoconference, so visual learners are able to watch as you or another professional walk them through basic security measures. Finally, we encourage our clients to revisit any password policies currently in place. If your company does not have a password policy, the National Institute of Standards and Technology (NIST) password guidelines offer guidance for securing passwords.

With just over one month before the extended tax deadline arrives, cyber-criminals will likely continue to attempt W-2-based business email compromise in hopes that hurried and distracted employees will unwittingly deliver W-2s without much hesitation.