It starts with the most innocuous of emails…
Hey, are you in the office today?
It says it’s from your manager, or one of your executives. So you respond:
Yes, I am in today.
The reply comes quickly…
I need you to send me a PDF of all employee W-2s so I can verify them today.
W-2 fraud has quickly become one of the most dangerous phishing scams to circulate the internet. While income tax fraud is nothing new, this scam has the potential to harvest large amounts of personal data to be used for income tax fraud or identity theft in general.
W-2 fraud usually begins with an email like the example above. While this email appears to be coming from an internal employee, it is often a criminal using one of the following methods:
- Spoofing – a criminal uses a computer program to modify an email’s header information, making it appear that the email originated from a friendly name or email address
- Compromise – a criminal fraudulently gains access to the email account of a manager or executive and sends the emails from a legitimate email address
The criminal on the other end of the email is hoping that you will not suspect the email came from outside of your organization. In many cases, the recipient replies to the email on instinct, and has no idea that they are not communicating with their manager. This instinctive reply is usually what leads to the employee barely noticing when they are asked to provide confidential information, like employee information, financial data, or strategic information.
Recognizing the Phish
Most phishing attempts open with a brief, non-personalized message. Cybercriminals are human; they don’t like to expend effort on a possibly fruitless mission. The initial message is often one sent to countless others, and in many cases the criminals are using untested email addresses. It is when a recipient replies to this initial email that the criminals ramp up the effort.
However, in more and more cases, criminals are specifically targeting certain organizations and individuals. This practice is usually referred to as “spear phishing”, in that the effort is placed behind a single effort, rather than a widespread attempt.
Spear phishing is accomplished by a criminal doing research on an organization, identifying the organization’s major players, and individuals who will likely have access to the information or systems the criminals wish to breach. This research is often done by examining an organization’s website, social media pages, state corporation filings, or an organization’s publications. All of this information is publically available. This intelligence gathering is often referred to as “Open-Source Intelligence”, or OSINT.
Once the criminal has identified their targets, they plan their means of contacting the target, usually via email. The criminals have multiple options available to them:
- Spoofing with a free email account – using a program to modify the email’s headers, disguising the email’s point of origin and identifying information
- Typosquatting – purchasing an email domain similar to their target’s with minor changes, hoping the recipient will not notice the difference (e.g., changing a zero for a capital O, or a number one for a capital I)
- Simply naming their free account as the manager the criminal is impersonating – this seemingly low-tech tactic has been used in several incidents with great effect
Unfortunately, with so many options to hide behind, and so many free email providers, criminals do hold the upper hand. Therefore, when criminals go on the offensive, recipients must be prepared to defend.
Defending Against W2 Phishing Emails
W2 phishing emails are often relying on the human factor, in that they are preying on our desire to provide assistance to others. In most cases, these phishing emails are not carrying malicious payloads or phishing links, and are not associated with other phishing or spam cases. Thus, they are less likely to be detected by antivirus filters or spam filters.
An organization’s best defense against phishing is awareness. Organizations cannot rely solely on electronic defenses to protect their information. Organizations must shore up their human defenses as well. One way to enhance these defenses is developing a sound email security policy, in which employees are informed:
- What their organization email account should and should not be used for
- What information should and should not be shared via email
- What information management will never ask for via email
- What to do if they receive a suspicious email in general
- What to do if they receive an email claiming to be from another employee asking them to perform tasks or provide information
This is not meant to be an exclusive or inclusive list. There will always be cases where a manager is out of the office and needs access to certain information on the go. Organizations should develop verification procedures where the receiving employee can make contact with the requester, verifying that the emailed request actually came from them. Organizations should also discuss data classification and sensitivity, and determine what documents should never be sent via email, regardless of who asks for them.
It is not enough to simply put a policy on paper, sign it, file it, and never refer to it again, however. Awareness programs need to be refreshed on a regular basis, reminding experienced employees of policies, and bringing new employees up to speed. Information may have changed, policies may have been adjusted, or new procedures may have been written. By regularly reviewing awareness programs with employees, organizations can be sure that employees have the most up to date information possible.
What to Do if You Receive a W-2 Phishing Email
If you receive a W-2 phishing email, the IRS wants to know about it! Per the IRS, these emails should be forwarded to email@example.com , with the subject “W2 Scam”. Once you have forwarded the email, delete it from your inbox, or report it as phishing if your email provider offers that option.
By making employees aware of how they should respond to phishing emails, organizations can help defend against cyber criminals. It is important to recognize that the threat exists, and an organization being “too small to be a target” is a false sense of security. Identity thieves are persistent, and even stealing one person’s details is a success. By arming themselves with the knowledge needed to recognize and respond to these threats, businesses can take the phrase “it won’t happen to me!” and turn it into “I won’t let it happen to me!”