Hackers in recent weeks have stepped up their efforts to steal employee tax information from companies in all kinds of industries.

Typically, the information contained on IRS form W-2 is used to file false tax returns or steal someone’s identity.

The situation has become so bad that the IRS earlier this month issued an alert to human resources and payroll professionals about the subject: Beware of an emerging phishing email scheme that purports to be from company executives and requests personal information on employees.

“This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data,” IRS Commissioner John Koskinen said.

“Now the criminals are focusing their schemes on company payroll departments,” he continued.

“If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees,” Koskinen warned.

Hard to Spot Crooks

What makes spearphishing attacks so effective is that they’re hard to identify — both by automated defenses and human beings.

“These scams do not generally have any active payload. They don’t have an attachment. They don’t have a URL of any sort that a traditional email security solution can associate with malicious behavior,” noted Vidur Apparao, CTO of Agari.

“Most of these attacks are pure social engineering attacks,” he told TechNewsWorld.

In addition, the attacks originate from legitimate Net infrastructure, not, as was seen in the past, from malicious infrastructure like botnets.

“Eighty-five percent of these attacks [are] coming from public cloud infrastructure,” Apparao said. “The fact that they’re coming from legitimate infrastructure makes them almost invisible to existing security solutions.

No Confidence in Execs

Once a spearphisher evades an organization’s automated defenses, the next layer of defense is people.

However, more than one in two (52 percent) infosec pros didn’t believe execs in their organizations could spot a phishing scam, according to a survey released last week by Tripwire of 200 attendees at the RSA conference in San Francisco in February.

That figure is likely to be higher as you move down the corporate food chain, suggested Travis Smith, a security researcher with Tripwire.

“An entry-level HR person with access to personnel information may not have the same level of training for spotting social engineering and phishing that a high-level executive has,” he told TechNewsWorld.

Even with training, though, the attacks are getting harder to spot by their targets.

“The criminals that are sending these phishing emails are getting increasing efficient in how they’re attacking their victims,” Smith said.

“They’re doing a lot of profiling before they send these emails,” he noted. “They’re doing background research. They’re investigating a company’s business activities.”

Fighting Phishing With Stories

If an automated solution is to counter clever spearphishers, it’s going to need some smarts of its own, which is what ZapFraud seeks to do in a patent it was awarded earlier this month.

The patent is for detecting email scams by what it calls their “storylines.”

While scammers constantly change their formulations, they very rarely depart from one of a relatively small number of storylines, ZapFraud said.

Consider an email that has a greeting from an apparent stranger, an expression of surprise, mention of large sums of money, an expression of urgency, and a request for a response.

“While you can’t enumerate all the ways a scam email can be produced, you can enumerate the building blocks,” said Markus Jakobsson, CTO of ZapFraud.

“By identifying the building blocks in a message, you can determine when something matches a story associated with risk,” he told TechNewsWorld.

When fighting phishing with storylines, you have to be aware of false positives.

“Identifying a storyline doesn’t mean something is evil,” Jakobsson said. “It means that one has to be cautious.”