The IRS published an urgent alert about a growing spear phishing attack during this year’s tax season. Cybercriminals are stealing W-2s from large organizations to file fraudulent tax returns and steal identities. Although a similar attack appeared last year, this time cybercriminals are raising the stakes by also asking for fraudulent wire transfers and targeting a larger range of business including:

  • Schools
  • Tribal organizations
  • Non-profit businesses
  • Restaurant chains
  • Temp agencies
  • Healthcare organizations
  • Shipping and freight firms

Cybercriminals are stealing W-2s and requesting fraudulent wire transfers in the latest tax season spear phishing scam.

Why Tax Season?

Tax forms are rich with valuable information.

W-2s contain an incredible amount of confidential data making them the ideal treasure for a cybercriminal looking to make some money. On the black market, W-2s can sell anywhere from $4 to $20 per record. Plus, with the recent trend of hackers moving towards large-scale theft instead of one-off phishing attacks they can easily make tens of thousands from a single successful attack.

The tax season is a time that everyone in accounting is more harried than usual. They’re more rushed, more tired, and more stressed than at any other time of year. That makes them more vulnerable to a clever spear phishing ruse. Now that accounting and HR departments have gotten initial W-2s filed, the corrections, clarifications, and internal reporting is just starting. In other words… phishing season is now open!

W2’s and Business Email Compromise (BEC)

A W-2 spear phishing attack is a variant of the classic business email compromise (BEC). Hackers pose as executives and send emails to HR or payroll asking for W-2s. They may even engage in casual conversation with the employee to gain their trust before making their request. Employees may not be trained or know the signs of a phishing attack and unknowingly provide a hacker with the information they requested. With this year’s attack, some hackers even request a direct wire transfer once they have stolen w-2 information and gained an employee’s trust in a bogus email.

“This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme”
– IRS Commissioner John Koskinen

In an alert from June 2016, the FBI reported that $3.1 billion dollars had been stolen from 22,000 victims in fraudulent wire transfer scams. Combine that with the loss of confidential information in W-2s and many businesses could end up with hundreds of thousands of dollars in damages.

Protect Yourself

IRS and FBI Suggestions

The IRS and FBI both provide basic solutions on what your organization can do to protect itself from this threat including:

  • Inform employees of the scam
  • Educate employees on the warning signs of spear phishing attacks
  • Establish an internal policy for sharing and distributing confidential information like W-2s or how to handle wire transfers
  • Use two-factor authentication for email accounts
  • Use secondary communication tools (phone call, fax, etc.) to confirm ALL significant business transactions
  • Be cautious of what your company posts on social media about employees, as this information can be used by criminals to determine when executives are out of the office and help them determine the best time to schedule their attacks

If your organization receives a spear phishing email, the IRS requests that you forward it to

The Vade Secure Email Security Suite

Vade Secure is the best solution to protect you against the W-2 spear phishing attack or any other type of cyber threat. Our artificial intelligence engine and filtering processes protect your organization by preventing threatening emails from getting into your employees’ inboxes through:

  • Inbound filtering: to protect against known malware and phishing
  • Identity verification: to ensure that emails are coming from valid addresses in your contacts and not fraudulent accounts
  • Personal data warnings: to alert employees of potentially suspicious requests for sensitive data
  • Identity MatchTM anti-spoofing: to analyze behavioral and technical factors that could provide subtle indication that someone is not who they claim to be

The Vade Secure Email Security Suite can protect you from all types of phishing, ransomware, and zero-day attacks.

Want to ensure that your organization is protected from all types of cyber threats during tax season? Contact us today or sign up for a 30-day evaluation of the complete Vade Secure solution.