Pierluigi Paganini February 24, 2018

The FBI is warning of a spike in phishing campaigns aimed to steal W-2 information from payroll personnel during the IRS’s tax filing season.

The FBI has observed a significant increase since January of complaints of compromised or spoofed emails involving W-2 information.

“Beginning in January 2017, IRS’s Online Fraud Detection & Prevention (OFDP), which monitors for suspected IRS-related phishing emails, observed an increase in reports of compromised or spoofed emails requesting W-2 information.” states the alert published by the FBI.

W-2 information is a precious commodity for crooks that are showing an increasing interest in tax data.

Law enforcement and security experts observed many variations of IRS and tax-related phishing campaigns, but most effective are mass data thefts, for example, campaigns targeting Human Resource (HR) professionals.

“The most popular method remains impersonating an executive, either through a compromised or spoofed email in order to obtain W-2 information from a Human Resource (HR) professional within the same organization.” continues the alert.

“Individual taxpayers may also be the targeted, but criminals have evolved their tactics to focus on mass data thefts.”

A separate warning od W-2 -related phishing campaigns was issued by the Internal Revenue Service.

“The Form W-2 scam has emerged as one of the most dangerous phishing emails in the tax community. During the last two tax seasons, cybercriminals tricked payroll personnel or people with access to payroll information into disclosing sensitive information for entire workforces.” reads the IRS’s advisory issued in January. “The scam affected all types of employers, from small and large businesses to public schools and universities, hospitals, tribal governments and charities.”

Once cyber criminal obtained the W-2 information, they will request a wire transfer, unfortunately, in the case of businesses and organizations the scam is not discovered for weeks or months.

“The initial email may be a friendly, “hi, are you working today” exchange before the fraudster asks for all Form W-2 information. In several reported cases, after the fraudsters acquired the workforce information, they immediately followed that up with a request for a wire transfer.” continues the advisory.

“In addition to educating payroll or finance personnel, the IRS and Security Summit partners also urge employers to consider creating a policy to limit the number of employees who have authority to handle Form W-2 requests and that they require additional verification procedures to validate the actual request before emailing sensitive data such as employee Form W-2s.”

Phishing scams related W-2 information have been increasing, the number of reports regarding this criminal practice from both victims and non-victims jumped from over 100 in 2016 up to roughly 900 in 2017, The IRS confirmed that more than 200 employers were victimized in 2017.

“Reports to [email protected] from victims and nonvictims about this scam jumped to approximately 900 in 2017, compared to slightly over 100 in 2016. Last year, more than 200 employers were victimized, which translated into hundreds of thousands of employees who had their identities compromised.” continues the alert.

Let me close with recommendations published by the FBI to avoid being victims of W-2 phishing scams and BEC:

• Limit the number of employees within a business who have the authority to approve and/or conduct wire transfers and handle W-2 related requests or tasks
• Use out of band authentication to verify requests for W-2 related information or wire transfer requests that are seemingly coming from executives. This may include calling the executive to obtain verbal verification, establishing a phone Personal Identification Number (PIN) to verify the executive’s identity, or sending the executive via text message a one-time code and a phone number to call in order to confirm the wire transfer request
• Verify a change in payment instructions to a vendor or supplier by calling to verbally confirm the request. The phone number should not come from the electronic communication, but should instead be taken from a known contact list for that vendor
• Maintain a file, preferably in non-electronic form, of vendor contact information for those who are authorized to approve changes in payment instructions
• Delay the transaction until additional verifications can be performed such as having staff wait to be contacted by the bank to verify the wire transfer
• Require dual-approval for any wire transfer request involving one or more of the following:
  • A dollar amount over a specific threshold
  • Trading partners who have not been previously added to a “white list” of approved trading partners to receive wire payments
  • New trading partners
  • New bank and/or account numbers for current trading partners
  • Wire transfers to countries outside of the normal trading pattern

Pierluigi Paganini

(Security Affairs – W-2 information, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]