Email Security Blog

Do You Know Where Your W-2 Is? Probably Where You Left It

Ronnie Tokazowski April 18, 2019 Cybercrime

It’s like clockwork. Every year around tax time security vendors (even us!) push out warnings about W-2 forms being stolen at tax time, and every year dozens of organizations disclose that someone inside of their organization fell victim to a BEC scam where actors were asking for W-2 information. Historically, actors switch to W-2 phishing campaigns starting at the end of January, and typically slow down by April 15th—Tax Day in the United States. However, this year has been exceptionally quiet on the W-2 side. Is it just because the cybercriminals we track haven’t been as invested in this type of scam this year, or has there really been a dip in W-2 fraud?

In our dataset, there is no denying this downward trend. While observed attempts for W-2s in late February, it only accounted for 2.6% of BEC attempts on that day. In previous years, actors made a very hard switch from asking for wire fraud to asking for W-2s, so this seemed odd. But by looking at Google Trends for W-2 fraud, it’s very apparent that there is less reporting this year than in previous years. So much so that there is a 67% dip from the highest number in 2018 to the highest number this year.

Dip in W-2 fraud reporting over the last five years

The biggest question though is… why? Here at Agari, we have a few theories.

Increased Awareness and Communications

Starting in December 2018, the IRS began raising awareness for this type of crime, and we think those efforts may be one of the factors that contributed to the decline. Many news outlets started to pick up the communications and started spreading the word to be on the lookout for business email compromise attacks using payroll diversions, W-2 fraud, and other types of email fraud.

Major Failure in Previous Years

While some actors may use stolen W-2s for their own fraud, others will sell the documents. This enables them to make quick money, and reduces their risk in filing the fake returns. If actors only sell one W-2 to another hacker, the chances of being detected by a fraud system are limited. However, if that same W-2 was sold to 10 others, having 8 returns filed for the same person would be somewhat of a red flag—and not likely to yield results. There is a chance that cybercriminals have simply given up due to a lack of success.

Faked Information Fakes Out Criminals

In addition, we are aware that some organizations sent fake W-2s to actors. When we caught this, we informed the affected organization about the breach but as it turns out, that data was completely faked. Unfortunately for the criminals, it made it all the way through the supply chain where it was sold and distributed to other threat actors for filing purposes. The fact that it was fake data only come out when those actors complained that they could not file the returns. Seeing the amount of frustration this caused these cybercriminals, well, we tip our hats to you.

Increased Success with Other Methods

With the rise of new tactics, specifically in gift cards being requested, threat actors no longer need to worry about the dozen or so steps it takes to file a fake tax return when they can yield the same result from a few gift card transactions. The time and effort it takes to cash out gift cards is much less than the time it takes to file a fake tax return, and they reduce the risk of being caught. As these actors become smarter and find easier ways to fund their operations, they have a reduced need to make their money from fraudulent tax returns.

They Already Have What They Need

The last and final theory is that these criminals have been requesting W-2s over the last several years and they may just be sitting on the data, to be used when and how they need it. Through one of our active defense engagements, we identified over 6,000 W-2s stolen by actors, which have since been passed to law enforcement. That said, we know that these had already been sold on underground markets, meaning that threat actors across the globe could already have access to everything they need to continue stealing real identities. With that much information at their disposal, perhaps they took this year off to focus on a new type of scam.

As we wrap up tax season, the good news is that W-2 fraud doesn’t appear to be as much of a problem as we’ve experienced in previous years. That said, one year does not create a pattern. People should continue to be wary about their personal information throughout the year, and we may see this pick up again in 2020.

To learn more about the work that the Agari Cyber Intelligence Division (ACID) is doing, check out the ACID website.

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

August 13, 2019 Crane Hassold

The “I’s” Have It: How BEC Scammers Validate New Targets with Blank Emails

Have you ever received a blank email from someone you don’t know? If you have,…

Agari Blog Image

July 23, 2019 James Linton

Weaponizing Accounts Receivable: How Scammers Use Aging Reports to Target Your Customers

Receipts and invoices—two accounting powerhouses that require little introduction. But step a little further into…

Agari Blog Image

July 10, 2019 Ronnie Tokazowski

‘Til Death Do Us Part… Romance Scams and the BEC Game

When we think of business email compromise (BEC), the first thing that comes to mind…

Agari Blog Image

June 5, 2019 Crane Hassold

From One to Many: Scattered Canary Evolves from One-Man Startup to BEC Enterprise

There is no denying that business email compromise (BEC) is big business, with losses exceeding…

Agari Blog Image

April 25, 2019 Crane Hassold

Bitcoin: The Next Evolution in BEC Cash Out Methods?

Historically, business email compromise (BEC) threat actors have used wire transfers as a means to…

mobile image