Is Your HR Team Prepared for this Tax Season's W-2 Phishing Attacks? Is Your HR Team Prepared for this Tax Season's W-2 Phishing Attacks?

Is Your HR Team Prepared for this Tax Season's W-2 Phishing Attacks?

It’s tax season again, and the cybercriminals are relying on their old tricks. Why? Because they still work!

The Internal Revenue Service (IRS) reported this week that a targeted email scam used in 2016 is back this year.[1] The targeted email scam in question, a phishing variation known as “spoofing,” uses a corporate officer’s name to request employee Forms W-2 or Social Security numbers from company payroll and human resources departments. In 2016, the IRS recognized 1,026 incidents of email tax phishing and malware attacks reported in January, and it looks like it will be more of the same 2017.

Numerous businesses have already reported this year that accounting, human resources, and tax professionals received emails, which appear to be from an executive at the company, requesting copies of the company's 2016 W-2 forms. Several companies have already been compromised by this attack, which often targets more junior employees in the accounting or human resources departments, with the sender posing as an executive in need of the W-2 information. For example, the phishing email may look like the one below, with the sender appearing to be a company executive[2]:



Given the subject and timing of this activity, the IRS and other cybercrime experts believe that this is the latest attempt to capitalize on the lucrative practice of filing fraudulent tax returns for refunds. Filing fraudulent returns can yield so much cash that, for the 2013 filing season alone, the IRS estimates over 5 million tax returns were filed using stolen identities, claiming a total of $30 billion in fraudulent refunds. While the government was able to stop or recover 81% of the fraudulent claims, that still left over $6 billion gained from fraudulent filings.[3] In 2015, the IRS reported that as many as 330,000 taxpayer accounts on the official IRS website were claimed by cybercriminals using stolen Social Security numbers and other data acquired externally to get access to copies of past filings and file fraudulent returns. The IRS additionally reported that identity thieves attempted to break into another 280,000 taxpayer accounts that year.

What to Look Out For

Spoofing, also known as Business Email Compromise (BEC), is a type of spear phishing attack that targets employees in your organization with access to valuable information by sending a communication that appears to be from a trusted individual, such as a company executive. What makes these attacks so dangerous is their apparent legitimacy. The header of the email may look exactly as one would expect, mirroring the company fonts, duplicating automated signature blocks, and containing the actual email address of the spoofed executive in the “From:” line. Often, the return email address won't even be visible until after the reply is sent unless the user specifically expands the address field. Some cybercriminals have registered domain names that are only a few characters divergent from the company's legitimate domain name, such as substituting the number one (1) for the letter "l" or replacing a ".org" with a ".com".
Additionally, spoofing attacks may contain personal details gleaned from social media that induce trust in the targeted individual such as referencing a recent vacation or life event.

It is also important to remember that these types of attacks are not just used for tax scams. Spoofing and other BEC attacks are often used to target accounting professionals in order to gain information about your proprietary business information, corporate bank accounts, employee salary direct deposit accounts, wire transfer credentials or even prompting individuals to initiate fraudulent wires. Any information of value to your company or your employees can be, and has been, targeted by cybercriminals.

So, how should you protect your company and employees from a spoofing attack? Awareness of the problem is key. Hardly anyone would be fooled by the “Nigerian Prince” scam today, because it has become synonymous with fraud in popular culture. Unfortunately, cybercriminals have become much more sophisticated in their attacks, using information gathered from social media sites, such as LinkedIn®, to use actual company executives’ names in the spoofed emails. Generally, employees are not accustomed to being skeptical of direct requests from their bosses. As a first line of defense, it is a good idea to train employees who handle sensitive information and ensure that they feel empowered to confirm the legitimacy of any such request, regardless of who appears to have sent it. Additional measures include working with your company’s IT department to monitor spear phishing trends and provide notice to all employees, and requiring dual authorization for the release of sensitive employee information.

Further Information and Resources

To help inform yourself and your employees on the dangers of spoofing, the Department of Justice, the IRS, and the Federal Bureau of Investigation (FBI) have provided example content of emails confirmed to have been fraudulent. Here are some things to watch for:

  • Requests which discourage contacting the executive for confirmation.
  • Emails containing the following language:
    • "Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W‑2 of our company staff for a quick review."
    • "Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary)."
    • "I want you to send me the list of W-2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap."
  • Email communications allegedly from the IRS or other tax companies. The IRS has explained that it does not send unsolicited email, text messages, or use social media to discuss personal tax issues. Therefore, if an employee of your organization receives an email or telephone call from someone claiming to be an IRS employee and demanding money, it may be helpful to consult the IRS Tax Scams/Consumer Alerts webpage: http://www.irs.gov/uac/Tax-Scams-Consumer-Alerts.
Insurance Implications

Depending on the target of the attack, your insurance policy may classify spoofing attacks or other BEC scams as a “privacy breach,” a “security breach,” or as “social engineering fraud.” For example, if the target is information or data, such as is the case with this phishing scheme, coverage would be found under a network security and privacy liability policy. However, if the target is money or securities, filing a claim against your crime policy may be appropriate.

Your insurance broker and/or attorney can quickly determine the extent and scope of your coverage. However, this exercise is best done before an event occurs. Of course, if you/your business is the target of an attack, the insurer should be notified as soon as is practicable.

What to Do If You are Already a Victim

If you believe that your organization has already been victimized by a W-2 spoofing attack or any other BEC, it is important to respond quickly. You should alert your company’s incident response or risk management team and your primary legal counsel immediately. If you or your company do not have an incident response plan already in place, your legal counsel can help coordinate the necessary response actions. Additional information is available in the Ice Miller Data Breach Response Quick Reference. A swift response can reduce the total damage to your organization and your employees. The IRS has advised that the best way for individuals to protect themselves from fraudulent filing is to file their 2016 taxes as soon as possible. Additionally, affected individuals should promptly claim their account on IRS.gov with a legitimate email account so that they can monitor their tax documents for fraudulent activity.

Ice Miller’s Data Security & Privacy practice helps clients assess risks. We work with clients to help them implement a strong data security and privacy program. Stephen Reynolds, a former computer programmer and IT Analyst, is a co-chair of Ice Miller’s Data Security and Privacy Practice. Stephen can be reached at stephen.reynolds@icemiller.com or (317) 236-2391. Nick Merker, a former systems, network, and security engineer, is also a co-chair of Ice Miller’s Data Security and Privacy Practice and speaks frequently on international data transfers in the United States and abroad. Nick Merker can be reached at nicholas.merker@icemiller.com or (312) 726-2504. Nick Reuhs us a partner in Ice Miller’s Data Security and Privacy Practice, specializing in advising clients in insurance coverage matters, managing claims and advocating policy construction that maximizes the available insurance recovery. Nick Reuhs can be reached at nicholas.reuhs@icemiller.com or (317) 592-4738.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how the issues discussed herein apply to the reader’s specific circumstances.


[1] U.S. Internal Revenue Service, IRS, States and Tax Industry Renew Alert about Form W-2 Scam Targeting Payroll, Human Resource Departments, IR-2017-10, (January 25, 2017) available at https://www.irs.gov/uac/newsroom/irs-states-and-tax-industry-renew-alert-about-form-w2-scam-targeting-payroll-human-resource-departments.
[2] Symantec.Connect, Business email compromise scammers add tax return fraud to their toolbox (March 3, 2016) available at http://www.symantec.com/connect/blogs/business-email-compromise-scammers-add-tax-return-fraud-their-toolbox.
[3] U.S. Department of Justice, Stolen Identify Refund Fraud (March 3, 2016) available at https://www.justice.gov/tax/stolen-identity-refund-fraud.

View Full Site View Mobile Optimized