“Email January 15, 2022
From: Sandy’s boss, the CFO
To: Sandy, the Payroll Administrator
Hey Sandy, please send me all the W-2s for Marketing personnel. I just need to check for a possible issue. Thanks!
Don’t do it, Sandy.
Longtime readers of this space will recognize this blog post as one in a regular annual cadence of similar posts. The point is to raise awareness during tax season of the very popular and depressingly successful wave of W-2 scams that appears every year around this time. And to update you on the latest techniques you can employ to defeat those scams.
Tax season is like Christmas for cyber-scammers. That’s because nearly every employee in the U.S. receives a W-2 form from their employer, meaning that many millions of W-2 forms are being created, processed, transferred internally, and transmitted externally (digitally or in printed form) by basically every company in the country.
Now take a look at a W-2 form. It includes your legal name, your address, your Social Security number, your employer and their address, your employer’s taxpayer ID number, and of course your wages and withholdings. Pretty much the only thing missing that an identity thief needs is your date of birth and your mother’s maiden name. And if they can’t find that info elsewhere, they should be in a different line of work, or rather crime.
So identity theft is one possible goal for a W-2 scammer. On the other hand, if they are able to collect a significant number of W-2s, they can monetize them more easily by selling them on the Dark Web where there is a thriving market in personally identifiable data (PID), especially Social Security numbers and financial information.
An increasingly common use of stolen W-2s is to file false tax returns with the IRS before the victims have had a chance to do so, in order to collect any tax refunds the victims may be owed. There are few things as disconcerting as filing your taxes only to be informed by the IRS that your return has already been processed and the refund paid out. Predictably, it’s a big hassle to get that straightened out. But the good news is that the U.S. Treasury Department has a strong record of apprehending the crooks and recovering the money.
Phishing, CEO impersonation, and business email compromise
How do scammers get their hands on W-2s in the first place? There are many specific techniques, but in the end they all boil down to one thing: fooling people.
It might start with a phishing email that tricks an employee into giving up their network credentials, followed by the crook using those credentials to insert malware that searches the network for W-2 files and exfiltrates them to a malicious address.
Or the crook might start by using a carefully crafted impersonation phishing attack that looks as though it’s coming from the CFO, as in the made-up example that I began with. Using information gathered from social media and public-facing corporate websites, they are able to include details that make the email very convincing, and the From: address might be a typosquatted address (such as “@acrne.com” in place of “@acme.com”) that doesn’t raise suspicions at a quick glance — especially if it’s tax season and the payroll admin is especially busy.
Or they may simply have previously phished the CFO’s email credentials (executives are just as vulnerable as other employees, if not more so). Then they need only log into that compromised account and send Sandy that email, so that there is nothing at all to give it away as fraudulent.
And that’s just the tip of the iceberg. Credentials might have been gathered in an undetected data breach that took place years ago, and are now available for purchase on the Dark Web.
But at some point, in nearly every case, someone has been fooled. Which brings us to countermeasures.
A balance of technical and user-awareness solutions
The first step in preventing scams from fooling any of your employees is to minimize the amount of malicious or phishing email that reaches their inboxes. If you haven’t upgraded your email security in a while, you might be in for a pleasant surprise, as innovations in AI and machine learning have produced new solution categories that can dramatically reduce your risk.
- AI-powered inbox-defense solutions like Barracuda Phishing and Impersonation Protection use machine learning to build a model of normal communication patterns within your organization, in order to spot and block anomalies that indicate phishing and impersonation attempts that evade detection by traditional email gateway products.
- A similar type of solution is exemplified by Barracuda Account Takeover Protection, which, among other things, spots compromised accounts and when attackers attempt to compromise accounts, along with automatically remediating by quarantining compromised accounts and finding and removing malicious emails from user inboxes.
- A Zero Trust Network Access solution such as Barracuda CloudGen Access goes far beyond VPN and Single Sign-On solutions to continually monitor multiple factors that ensure only permitted people and devices, in known locations and at permitted times, can access your network assets.
- Finally, and most important, it’s critical to build a culture of security awareness within your organization. Modern security awareness training solutions such as Barracuda Security Awareness Training can be enormously helpful in this regard. Using a mix of simulated phishing attacks and advanced training modules, solutions like this have been proven to greatly increase the chances that a phishing attempt will be spotted and reported by its recipients. Gamifying the training — e.g., by awarding prizes to the employees who are most successful at spotting bad emails — drives real engagement with the process. And individualized results let you spot the most vulnerable users and target them for additional training.
- And when your highly trained users do report a genuine phishing attempt, an automated response solution like Barracuda Incident Response lets you find and eliminate every instance of it from every inbox it’s hit in seconds or minutes, rather than hours or days.
A taxing season
Tax season is stressful for everyone (except for the crooks who exploit that stress, presumably). In addition to the security measures listed above, there are some other important steps you can take to minimize your risk of falling victim to a W-2 scam. The IRS Taxpayer’s Guide to Identity Theft is full of useful tips and information that can help you avoid identity theft and spot it early when it happens.
Last of all, remember that tax season will come to an end. While phishing threats are year-round, by mid-April the W-2 scam attempts should at least begin to wind down, letting us all relax, just a little bit. Until next year.
Tony Burgess is a twenty-year veteran of the IT security industry and is Barracuda’s Senior Copywriter for Content and Customer Marketing. In this role, he researches complex technical subjects and translates findings into clear, useful, human-readable prose.
You can connect with Tony on LinkedIn here.