Protect yourself from W-2 scams

Print Friendly, PDF & Email

Tax season in the US is just a few months away, and companies are already working on compiling and distributing the W-2 forms and other tax-related information to prepare for filing.  As you may have guessed, the criminals are also thinking about tax season and working out ways to steal your identity, sensitive information, and hard-earned tax refunds.

If a W-2 attack is successful, the victim may suffer multiple incidents of identity theft due to the data being sold to other criminals via the dark web. Click To Tweet

Why the W-2 form?

The W-2 tax form is a responsibility of every employer engaged in a trade or business that pays for services performed by an employee, and nearly every employee in the United States receives one of these each year.  These W-2 forms detail the employee's name, address, Social Security Number, wages, tax deductions, and other personal information.  Cybercriminals and tax scammers want this information so they can steal your identity, file fraudulent tax returns or sell it on dark web.   With your W-2 in hand, these criminals can generate multiple streams of income from a single identity.  There are details here if you'd like to learn more about W-2 forms

Recent research found that personally identifiable information, or PII scams,  represent approximately 12% of all email attacks studied for this Barracuda Threat Spotlight on Business Email Compromise (BEC).  These scams are often directed at departments like Human Relations, Finance, and Payroll because they have access to tax information.

W-2 scams do not represent a large segment of email-borne threats but they are very effective, and the number of people reporting this attack continues to grow.  Internal Revenue Service reports more than 200 employers were victimized in 2017, which translates into hundreds of thousands of employees who had their identities compromised.

How the attack works

Attackers are already targeting your organizations and we are seeing a spike in their activities. Here’s an example from early January that was captured by our systems:

 

These attacks usually follow the same pattern with three distinct steps.

Impersonation

W-2 scams are a form of Business Email Compromise attack where the criminals impersonate executives or other business authorities to request W-2 forms. Scammers will often use domain spoofing or display name spoofing in their attempt to impersonate. These attacks may also originate from already compromised email accounts, making them even more difficult to detect with traditional email security.

Request

These attacks contain requests for W-2 forms and often include a sense of urgency to put additional pressure on the recipient. Most W-2 email scams contain no malicious attachments or URLs and come from high reputation senders. Traditional email security that relies on blacklists, signatures, URL protection and sandboxing technologies will often miss this attack and allow it to be delivered to a user's inbox.

Data Loss

If the attack is successful, the data is sent to the criminal and will be used for identity theft, including fraudulent tax refunds.  Because the data can also be sold on the dark web, the victim may suffer multiple incidents of identity theft. Organizations that discover W-2 scams often offer to pay for employees Identity Theft Protection services encountering tens of thousands of dollars in unexpected costs.

W-2 scams are a Business Email Compromise (BEC) attack where criminals impersonate executives or other business authorities to request W-2 forms. Scammers will often use domain spoofing or display name spoofing in these attempts.Click To Tweet

Prevention

Preventing this type of attack requires the right technology and user security training.

After an attack

If you have fallen victim to a W-2 scam, immediately report the incident to the IRS here.  Advise your employees and launch an internal investigation to find the extent of the breach.  It's possible that the W-2 scam is part of a larger attack that has gone undetected.

Identify all recipients of fraudulent emails and look for additional compromised accounts in the process.  Remove the malicious emails as you find them, and update your security by adding the sender to your blacklist to block future attacks.    Barracuda Forensics and Incident Response can help automate this process.

If you have fallen victim to a W-2 scam, immediately report the incident to the IRS and launch an internal investigation to find the extent of the breach. The W-2 scam may be part of a larger attack that has gone undetected. Click To Tweet

 

Barracuda Total Email Protection ensures your organization is secured against email-borne threats. Its multi-layered approach combines the most advanced protection available with radical simplicity and ease of use.  Get started with a free trial here.

Scroll to top
Tweet
Share
Share