Last year we saw an unprecedented number of companies of all sizes fall victim to a W-2 spear phishing scam. The scam usually began with a “spoofing” email that appeared to have been sent by a company’s CEO or CFO to one or more employees in the human resources or payroll department. The email typically requested that all of the company’s employees’ W-2s be sent in PDF format via return message or uploaded to a file sharing site. Unbeknownst to the human resources or payroll department employees, the email did not come from the CEO or CFO but a criminal who had conducted some research to, at the very least, identify the names and email addresses of the CEO or CFO as well as the targeted human resources or payroll department employees. Here is an example:
Subject: Treat as Urgent
Date: March 7, 2016 10:55 AM
I need copies of all employees’ W-2 wage and tax statements for 2015 to complete a business transaction. I need them in PDF format. You can send them as an attachment.
The email appears to be a completely legitimate request from a legitimate email address, but in reality the email is from somewhere entirely different and has the “REPLY TO” field (that is typically hidden from the end user) set to an email address controlled by the criminal; for example, firstname.lastname@example.org. The email headers would show this. Other variations on the content of the W-2 requests can be found in the IRS’s alert on the topic issued March 1, 2016.
Criminals were successful in filing fraudulent tax returns within days (and perhaps hours) of obtaining the W-2s. The time and effort it takes to steal this valuable information – a few simple, targeted emails to unsuspecting employees – is significantly less than the time and effort it takes to infiltrate a network. Given this, it is highly likely that this scam will continue during the 2016 tax season.
Now is a good time to remind employees, especially those who handle W-2s and other tax forms, to be aware of the threat. Employees should be advised that email requests for any type of sensitive data should be confirmed as legitimate through direct contact with the apparent sender via a phone call. Employees should be further advised that, rather than responding directly to the email, they should send a new email where they enter the recipient. Employees should also be reminded of any policies and procedures regarding safeguarding personal information.
You can review a compilation of IRS alerts as well as further information on how to avoid tax fraud in general on the IRS’s website.