On March 22 an employee at software company Pivotal Labs received an email purporting to be from CEO Rob Mee, asking for personal information about employees. Assuming the email was legitimate, the worker sent W-2 information — including the names, addresses, 2015 income details, Social Security numbers and Individual Tax Identification Numbers of an undisclosed number of employees — to what turned out to be a group of cybercriminals.
The company reported the breach to authorities, opened an investigation and is offering employees identity protection services, according to a notice it shared with employees. The incident was firstreported by SC Magazine. (Pivotal Labs did not immediately return a request for comment.)
The incident highlights a growing scam involving phishing attacks, where criminals use stolen W-2 information to impersonate taxpayers and steal their returns.
“These scams are active right now, especially at tax season,” said Rodney Joffe, senior vice president at Neustar. “And while there have been some mentioned in the press, there are thousands of companies, small and large, being targeted each and every day.”
Other recent victims made public include data storage companySeagate and start-up Snapchat. Seagate inadvertently exposed the tax data of thousands of workers when an employee shared 2015 W-2 tax form information for current and former U.S.-based employees in response to a phishing email. SnapChat apologized to workers after its payroll department shared information about some current and former employees in response to an email impersonating CEO Evan Spiegel.
Both companies are investigating, cooperating with authorities and offering employees identity protection services.
“This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data,” said IRS Commissioner John Koskinen. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond.”
The Federal Bureau of Investigation also issued a warning about the rise in schemes targeting businesses, financial officers and individuals on March 29. The W-2 scam is a seasonal variation of what is known as the business email compromise scam (BEC) or “CEO fraud.”
Law enforcement has received BEC complaints from victims in every U.S. state and in more than 79 countries, though the vast majority of victims are in the U.S. From October 2013 through February 2016, law enforcement received reports from 17,642 victims, adding up to more than $2.3 billion in losses. Since January 2015, the FBI has seen a 270 percent increase in identified victims and exposed loss.
“These scammers only have to be successful a very small percentage of the time for it to be lucrative,” said Joffe. “And $2.3 billion is a great motivator for new gangs to get into the business, so it will grow for that reason as well.”
The criminal organizations behind the attacks surf the web from what look like internet cafes, often in Nigeria, said Joffe. They research targets online to build a profile of the company, its corporate structure and the other entities with which it does business. Often, they register a domain that looks similar to the target company, for example, replacing a “W” with a double “VV,” adding an extra “ii” into a word or use a slightly different domain name, for example, ending in “.co” instead of “.com.”
They then send emails from addresses that look almost indistinguishable from legitimate email accounts within the company.