In late 2018, the IRS published an urgent alert about a growing spear phishing attack circulating during tax season. Imitating top executives, cybercriminals sent emails to payroll officials, requesting employee W-2s. The IRS reported that in many cases, cybercriminals used the W-2s to file fraudulent tax returns within days of receiving the requested W-2s.
A similar attack appeared in 2017 and targeted a large range of businesses, including schools, healthcare organizations, and tribal organizations. The IRS estimates that in 2017, more than 597,000 fraudulent tax returns were filed.
Why Tax Season?
W-2s contain an incredible amount of confidential data, making them the ideal treasure for a cybercriminal looking to make some money. On the black market, W-2s can sell anywhere from $4 to $20 per record. With the relative ease of creating one-off spear phishing emails, cybercriminals can easily make thousands from a single successful attack.
Tax season is a busy time for accounting and HR. They’re more rushed, more tired, and more stressed than at any other time of year. That makes them more vulnerable to spear phishing. Now that accounting and HR departments have gotten initial W-2s filed, the corrections, clarifications, and internal reporting is just starting. In other words: spear phishing season is now open.
W-2s and Business Email Compromise (BEC)
A W-2 spear phishing attack is a variant of the classic business email compromise (BEC), or wire transfer fraud, which cost US businesses $2.1 billion in 2018. To prime their victims, hackers often first engage in pretexting, or casual conversation, with the employee to gain their trust before making their request. In the 2017 W-2 attacks, hackers requested direct wire transfers within days of receiving the stolen W-2s.
The success rate of BEC attacks is compounded by the relative ease of creating them. Unlike phishing emails, which require sophisticated emails and webpages that impersonate known brands, a spear phishing email is a text-only email with no images or other content and no links. This is also why spear phishing emails so frequently bypass email filters, which are designed to catch known phishing URLs and webpages, not unknown, dynamic attacks.
How to Protect Your Business from W-2 Spear Phishing
The IRS and FBI both provide recommendations on what your organization can do to protect itself from this threat, including:
- Inform employees of the scam.
- Establish an internal policy for sharing and distributing confidential information like W-2s or how to handle wire transfers.
- Use two-factor authentication for email accounts.
- Use secondary communication tools (phone call, fax, etc.) to confirm all significant business transactions.
- Be cautious of what your company posts on social media about employees, as this information can be used by criminals to determine when executives are out of the office and help them choose the best time to schedule their attacks.
If your organization receives a W-2 spear phishing email, forward it to phishing@IRS.gov.
Employee awareness training is central to protecting your users and your business from targeted email attacks. Cybercriminals often use social media to research their targets before launching their campaigns, socially engineering victims without their knowledge and increasingly the chances that they’ll fall victim to an attack. Without training, users are unlikely to recognize an attack—without continuous training, they’re unlikely to stay vigilant.
The Vade Secure Solution
Vade Secure for Office 365 uses artificial intelligence, including machine learning, to detect and block spear phishing attacks. Unsupervised machine learning models analyze the origin, content, and context of the email, searching for anomalies such as email spoofing, while Natural Language Processing scans for malicious behaviors, such as urgency or flag words and phrases commonly found in spear phishing emails. Our artificial intelligence engine and filtering processes protect your organization by warning users that an email could be a spear phishing attempt, causing them to think twice before clicking.