Tax season is coming to an end, but unfortunately, the IRS and tax-related scams are not slowing down. In this month’s Threat Spotlight, we discuss W-2 fraud and why it can be even more successful after tax day.
The Barracuda Email Threat Scanner scans and analyzes thousands of corporate mailboxes daily across the world, giving us an interesting view into some of the more targeted phishing and spear phishing attacks. Attackers continue to evolve their tactics to evade spam detections and target unsuspecting users.
W-2 Phishing Scam – attacker uses multiple techniques to trick someone into sending the employee W-2 forms
As companies and individuals rushed to meet the April deadline to file taxes, or extensions to file at a later date, we continue to see a significant number of threats that go beyond the typical seasonal spam – into a highly-targeted W-2 phishing attack.
The consequences of the W-2 phishing attack can be devastating. Organizations that fell victim to W-2 attacks had to inform their employees, contractors, and students that they had failed to protect their most sensitive information. Oftentimes, the theft of W-2 is followed by additional attempts of identity theft.
W-2 forms are standard IRS forms that employers are required to provide to their employees at the end of each year. The forms document compensation and the information that the employer reported to the IRS. W-2 forms include this type of information:
• Gross wages
• Federal withholding
• Social Security tax
• Medicare tax
• State and local income taxes
• Dependent Care Benefits
Because of the nature of the form, the W-2 also includes the legal name, Social Security Number, and home address of the employee.
As you can see, these forms are rich with personal information. The document includes nearly everything you would need to know to steal the identity of another person. You could also use the information in the document as a starting point for research on a victim's family, potentially capturing sensitive information on many more victims.
In this attack, a criminal uses research and social engineering to identify at least two specific targets in the company. The first is the person who has access to the W-2 forms, typically one of the HR administrators. This is the person who will be contacted in the attack. The second target is the person who will be impersonated by the attacker, typically someone in senior management or some other high-level person who may sometimes have a legitimate need to access to the W-2s. These impersonations are very detailed, often naming specific employees or students who might be on the impersonated senior person’s team.
Once these targets are identified, the attacker establishes an email account for the manager being impersonated. Usually, these email accounts will have the proper username, but with a typo-squatted domain. For example, if the manager's email address is email@example.com, the attacker might use firstname.lastname@example.org or email@example.com. Typosquatted domains look close enough to what the reader expects, especially in the days when many users are checking emails quickly from mobile devices or otherwise on the go. Swapped letters or a misspelling are most common, and often very successful in tricking the user into thinking the URL is legitimate.
The attacker then uses the fake address to contact the person handling the W-2s at his or her legitimate address.
Observed subject lines include:
- Request for Employee W2 2016
- 2016 W-2’s
- John’s W2
When the recipient receives this email, it will include an urgent request for the W-2s to be forwarded (e.g., “I need the W2s ASAP, please send them by the end of the day today.”). Giving this sense of urgency – coming from a senior executive – is often the carrot needed to solicit a response.
If the recipient complies with the request, the W-2s will be sent to the fake address owned by the attacker. The attacker then sells the information on the black market.
Although we have just passed the tax deadline in the US, you can expect these attacks to continue. Look for new reasons for the W-2s, such as:
- Accounting firm lost the W-2s
- The company is preparing for an audit
- The manager wants to send the forms to central storage for safe-keeping
There are dozens more examples of creative excuses as to why a manager would want the W-2s after the filing deadline. For example, “Taxes are done, I'm looking at a new payroll firm for next year, can you send over the W-2s right away so they can take a look at them…”
Furthermore, there's another psychological component at work. Employees who handle W-2s and other sensitive tax documents are expecting fraud and data theft during the tax season. They aren't necessarily expecting it after the returns have been submitted. Many become less vigilant when a deadline has passed, and they are more easily tricked into participating in a scam like this.
Once the attacker receives the W-2s, he will make them available for sale. In 2016, account-monitoring company LogDog reported that Social Security credentials fetch approximately $1 each on the black market. If you consider the low cost of setting up the impersonation, even a dozen Social Security Numbers can be profitable after being sold a few times. Because of this, the attacker only needs a small number of these attacks to work for him to come out ahead.
The three techniques used in this attack are,
- Social Engineering: Researching the company’s organizational structure and personnel help the attacker create an email that looks legitimate. For an especially attractive target, the attacker might begin the attack by calling the company and impersonating someone on the phone.
- Impersonation: The attacker uses typo-squatting and other methods to trick the recipient into believing that there is a legitimate need for the W-2 forms, even though the tax deadline has passed.
- Black Market Sales: Once the W-2s have been captured, the attacker will parse the information and sell the valuable data, primarily the SSNs, on the black market.
This attack is interesting for several reasons:
- First, a large amount of research goes into targeting specific individuals who might fall for the attack, many who are not necessarily the most visible employees in the organization.
- Second, spear phishing and social engineering attacks are very hard to catch with existing email security solutions. As seen in this W-2 phishing attack, there is no malicious file or link that might typically be stopped by existing email security solutions. The attacks are very targeted and are sent much more infrequently than other spam or malware, which means they are much harder to detect with volume-based traditional spam detectors.
- Third, the attackers go to great lengths to make the email sound natural. For example, in one of the emails we analyzed, the attackers asked the response to be forwarded to another impersonated email of a colleague (e.g., “please also copy John <firstname.lastname@example.org>).
Companies should be vigilant against social engineering and impersonation attacks. They should assume they will get attacked in the near future if they haven’t already been attacked. These types of attacks may be stopped by the end-user if the person is trained and aware of how these attacks work. Barracuda always recommends regular training and testing of employees, especially for employees in sensitive departments such as HR, finance, and legal.
Multiple layers of security are always the best way to protect yourself and your company. An Email Security Gateway with outbound filtering and data loss prevention (DLP) can be configured to ensure that documents like W-2 forms are not transmitted to an outside domain via email.
Finally, if you’re curious whether your company has been the victim of a spear phishing attack, try our Barracuda Email Threat Scanner. It’s a free tool that scans your Office 365 account for advanced persistent threats and phishing risks.
Asaf Cidon is Vice President of Content Security Services at Barracuda. Connect with him on LinkedIn here.
Asaf Cidon is a professor of electrical engineering and computer science at Columbia University and a Barracuda adviser. He previously served as vice president of content security services at Barracuda Networks. In this role, he was one of the leaders for Barracuda Sentinel, the company's AI solution for real-time spear phishing and cyber fraud defense. Asaf was previously CEO and co-founder of Sookasa, a cloud storage security startup that was acquired by Barracuda. Prior to that, he completed his PhD at Stanford, where his research focused on cloud storage reliability and performance. He also worked at Google’s web search engineering team. Asaf holds a PhD and MS in Electrical Engineering from Stanford, and BSc in Computer Engineering from the Technion.