Businesses Targeted for Employee W-2’s

Overview

Tax season is a busy time for everyone, including criminals. Every year thieves steal W-2s and other tax data from thousands of Americans and then use the data to file fraudulent tax returns in those people’s names. On some dark web marketplaces, you can purchase a 2016 W-2 for as little as $4-20 worth of Bitcoin.

How the W-2 Scam Works

So how do all of these tax forms end up online? There are many forms of theft and fraud aimed at stealing this data, but one of the most common methods now is to target businesses to steal their employee data. A common tactic is to target an employee in HR, Payroll, etc. with a phishing attack or by email spoofing a superior’s email address. Basically, an email which appears to come from a manager or someone the employee would know, but it is actually sent from an attacker. These emails would have a message requesting all employee W-2 data be sent back via email.

Many or maybe even most people might be suspicious if they received such a message. They might call that supervisor on the phone to confirm the order, or take another step before just sending it along. But clearly, some people are falling for these attacks.

This is pretty much exactly what happened to Sunrun, a solar panel manufacturer with employees all over the country. An attacker sent a spear-phishing email to the Payroll Department which appeared to be from the company’s CEO Lynn Jurich. The email requested that all employee W-2s be emailed back. It was not detected as a scam at the time, and the social security numbers, salary details, and other private tax-related data was sent directly to the attacker. In the end, W-2s for roughly 3,400 employees nation-wide were compromised through that one email exchange.

Cyberattacks can be hugely profitable even if the campaign is only successful on a few percent of the attempts. Within an organization, it just takes that one weak link to compromise millions of dollars worth of data.

What Can You Do?

1. Be Patient: Remember that phishing emails prey on people’s fears, like an impatient boss who wants a quick reply. If ever something feels wrong, unusual, or out of place, take the time to verify the authenticity of the request.
2. Speak Up!: If you believe you have received a phishing email, say something! Contact your IT Department and/or manager in change. If you get this kind of request through GMail, Facebook, or other personal accounts, report it through the tools offered by the service, app, or site you are using. You can also contact the FBI’s Internet Crime Complaint Center (IC3) to file a report.
3. Prepare: From an organizational standpoint, employees need proper training to detect phishing attacks. Phishing has an incredibly high success rate because people often have trouble spotting a scam. Companies should have monthly sessions with employees to cover emerging threats, along with reinforcing best practices and the organization’s expectations. Preventing a data breach begins with supporting your team, and giving them the tools they need.
4. Get Ahead of the Threat: The final takeaway is that the best way to avoid being the victim of this form of identity theft fraud is to file your tax return before someone else files in your name.