Originally published on the Barracuda Blog, February 7, 2019, by Olesia Klevchuk
Tax season in the U.S. is upon us, and companies are already working on compiling and distributing the W-2 forms and other tax-related information to prepare for filing. As you may have guessed, the criminals are also thinking about tax season and working out ways to steal your identity, sensitive information, and hard-earned tax refunds.
“If a W-2 attack is successful, the victim may suffer multiple incidents of identity theft due to the data being sold to other criminals via the dark web.”
Why the W-2 form?
The W-2 tax form is a responsibility of every employer engaged in a trade or business that pays for services performed by an employee, and nearly every employee in the United States receives one of these each year. These W-2 forms detail the employee’s name, address, Social Security Number, wages, tax deductions, and other personal information. Cybercriminals and tax scammers want this information so they can steal your identity, file fraudulent tax returns or sell it on dark web. With your W-2 in hand, these criminals can generate multiple streams of income from a single identity. There are details here if you’d like to learn more about W-2 forms
Recent research found that personally identifiable information, or PII scams, represent approximately 12% of all email attacks studied for this Barracuda Threat Spotlight on Business Email Compromise (BEC). These scams are often directed at departments like Human Relations, Finance, and Payroll because they have access to tax information.
W-2 scams are very effective and the number of people reporting this attack continues to grow. Internal Revenue Service reports more than 200 employers were victimized in 2017, which translates into hundreds of thousands of employees who had their identities compromised.
How the attack works
Attackers are already targeting your organizations and we are seeing a spike in their activities. Here’s an example from early January that was captured by our system:
These attacks usually follow the same pattern with three distinct steps.
Impersonation
W-2 scams are a form of Business Email Compromise attack where the criminals impersonate executives or other business authorities to request W-2 forms. Scammers will often use domain spoofing or display name spoofing in their attempt to impersonate. These attacks may also originate from already compromised email accounts, making them even more difficult to detect with traditional email security.
Request
These attacks contain requests for W-2 forms and often include a sense of urgency to put additional pressure on the recipient. Most W-2 email scams contain no malicious attachments or URLs and come from high reputation senders. Traditional email security that relies on blacklists, signatures, URL protection and sandboxing technologies will often miss this attack and allow it to be delivered to a user’s inbox.
Data Loss
If the attack is successful, the data is sent to the criminal and will be used for identity theft, including fraudulent tax refunds. Because the data can also be sold on the dark web, the victim may suffer multiple incidents of identity theft. Organizations that discover W-2 scams often offer to pay for employees Identity Theft Protection services encountering tens of thousands of dollars in unexpected costs.
Prevention
Preventing this type of attack requires the right technology and user security training.
- Anti-phishing protection: deploy purpose-built technology that doesn’t solely rely on looking for malicious links or attachments. One approach that is shown to be effective uses machine learning to analyze normal communication patterns within your organization. This allows the solution to spot anomalies that may indicate an attack.
- Anti-spoofing: domain spoofing is one of the most common techniques used in impersonation attacks. DMARC authentication and enforcement can help stop domain spoofing attacks, while DMARC reporting and analysis helps organizations to set enforcement. Barracuda Sentinel is a solution that makes DMARC easy.
- Account takeover (ATO) protection: artificial intelligence can be used to detect compromised accounts, alert recipients, assist in investigations, and more. This is essential to blocking attacks from the compromised account.
- Data Loss Prevention (DLP): the right set of technologies and business policies will block emails with W-2 forms from leaving the company.
- Proactive investigations: perform regular searches on delivered mail to detect emails related to W-2 forms. Do this frequently during tax season. Barracuda Forensics and Incident Response can perform keyword searches for you.
- Advanced computer-based training: require security training before tax season for HR/Payroll/Finance to raise awareness of W-2 fraud and how to report potential attacks.
- Simulated attacks: employ phishing simulation to evaluate and identify users who are most vulnerable to attack.
After an attack
If you have fallen victim to a W-2 scam, immediately report the incident to the IRS here. Advise your employees and launch an internal investigation to find the extent of the breach. It’s possible that the W-2 scam is part of a larger attack that has gone undetected.
Identify all recipients of fraudulent emails and look for additional compromised accounts in the process. Remove the malicious emails as you find them, and update your security by adding the sender to your blacklist to block future attacks. Barracuda Forensics and Incident Response can help automate this process.
