With the 2018 US tax filing season now open, the race is on to submit your taxes before it becomes a mad scramble through a pile of receipts in early April. Now however, there’s one more reason to submit quickly – getting there before a cunning cyber criminal beats you to it.
Fraudsters are increasingly targeting businesses with deceptive emails to steal the W-2 forms of their employees. The criminals can then sell the data, which includes Social Security numbers, salaries and personal information, on the dark web for a quick profit, or use the information to conduct social engineering attacks on the victim. In a new twist, criminals have even been completing and submitting tax returns on behalf of the victim – and then claiming their tax refunds for themselves. The first the victim usually knows about it is when they go to submit their own returns, only to be told they have apparently already done so.
The W-2 scam is on the rise, with the IRS recently stating it received 900 reports from businesses in 2017 – up from just 100 in 2016. Over 200 organizations fell prey to the attacks, with hundreds of thousands of individuals having their details stolen as a result.
The attacks themselves are a variation on the dangerous Business Email Compromise (BEC) scam, which the FBI reports have cost more than $5B between 2013 and 2016 alone. The scammers will research the target organization to discover who handles its payroll, and then impersonate a senior executive over email to request the W-2 forms for all staff.
In BEC scams, more competent criminals can create very convincing deceptive emails which are almost indistinguishable from the real thing, disguising key signifiers such as the sender name, return address and IP address. Because the attack is impersonating a trusted authority within the company, many payroll employees will simply follow through with the request without a second thought.
Payroll staff should be made aware of the increased likelihood of deceptive emails requesting W-2 forms during the tax season, and companies should also implement stricter policies around sharing confidential data. However, firms should not rely on staff to catch everything, as well-crafted fraudulent emails can be indistinguishable from the real thing.
Instead, businesses should safeguard their employee’s W-2 forms by preventing deceptive emails from ever reaching their intended targets – and this is where Agari can help. Unlike most solutions which attempt to spot signs of malicious emails, Agari Enterprise Protect draws on analysis from more than two trillion emails each year to create a model of what a good email looks like. Armed with this intelligence, the solution is able to identify and block fraudulent emails with an unparalleled degree of accuracy.
Organizations that have already suffered W-2 theft should contact the IRS immediately at email@example.com, as there is a chance the IRS can take steps to prevent employees from becoming tax fraud victims. Those that have been contacted by fraudsters but spotted the scam can also notify the IRS at firstname.lastname@example.org. More guidelines and support from the IRS is available here.
With the W-2 scam looking to become even more widespread in the 2018 tax filing period, organizations need to work quickly to protect their employees from tax fraud. In the meantime, it’s time for citizens to put their tax returns on the top of their to-do list.
For more information from Agari and the SANS Institute on fighting targeted email threats such as BEC, view our webinar.