author photo
By Shawn E. Tuma
Fri | Feb 24, 2017 | 9:36 AM PST

Hunting season just began — the season in which cybercriminals are hunting for W-2 information from your company. They do this by sending emails spoofing high-level executives, such as the company President or CEO, to lower level clerical personnel requesting that W-2s for employees be provided by return email. The email is coming from — and then returned to — the criminal, not the executive, along with the W-2s. The company now has a serious data breach on its hands. Worse, your company’s employees’ information has been exposed and they now have this problem to worry about.

Tax Season is Prime Hunting Season for Cybercriminals

Law enforcement officers and cyber forensics professionals are reporting a drastic increase in this scam now, because it is tax season and these scammers are using this for tax related fraud. This week alone I have had new cases come in that involve this scam. If you have not been targeted yet, it is likely that you will be very soon.

The IRS’ Recent Warning About this Scam

On February 2, 2017, the IRS issued a warning about this scam: Dangerous W-2 Phishing Scam Evolving; Targeting Schools, Restaurants, Hospitals, Tribal Groups and Others In this warning, the IRS states the following:

The Internal Revenue Service, state tax agencies and the tax industry issued an urgent alert today to all employers that the Form W-2 email phishing scam has evolved beyond the corporate world and is spreading to other sectors, including school districts, tribal organizations and nonprofits.

In a related development, the W-2 scammers are coupling their efforts to steal employee W-2 information with an older scheme on wire transfers that is victimizing some organizations twice.

“This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme,’’ said IRS Commissioner John Koskinen.

When employers report W-2 thefts immediately to the IRS, the agency can take steps to help protect employees from tax-related identity theft. The IRS, state tax agencies and the tax industry, working together as the Security Summit, have enacted numerous safeguards in 2016 and 2017 to identify fraudulent returns filed through scams like this. As the Summit partners make progress, cybercriminals need more data to mimic real tax returns.

Here’s how the scam works: Cybercriminals use various spoofing techniques to disguise an email to make it appear as if it is from an organization executive. The email is sent to an employee in the payroll or human resources departments, requesting a list of all employees and their Forms W-2. This scam is sometimes referred to as business email compromise (BEC) or business email spoofing (BES).

The Security Summit partners urge all employers to be vigilant. The W-2 scam, which first appeared last year, is circulating earlier in the tax season and to a broader cross-section of organizations, including school districts, tribal casinos, chain restaurants, temporary staffing agencies, healthcare and shipping and freight. Those businesses that received the scam email last year also are reportedly receiving it again this year.

What Can You Do Now to Protect Your Company?

  1. Send this post to your employees so that they understand what the threat is and that they are the ones who will be targeted. You want to make them aware, discuss the issue with them, and help them understand that they should be very suspicious of any requests to email out anything of this nature (or make payments, such as with the very similar Business Email Compromise).
  2. Limit who has access to your company’s W-2s and other sensitive information.
  3. Put policies and procedures in place to require a second method of making sure that requests like this are valid, before complying (multi-factor authentication).
  4. Learn more about this scam from the FBI’s bulletin on this.
  5. Learn more about this scam from the IRS’s bulletin on this.

What Do You Do if it Happens to Your Company?

  1. Immediately contact experienced legal counsel who understands how to guide you through these compromises and, ideally, has appropriate contacts with law enforcement to assist in reporting this incident (See Reporting to Law Enforcement).
  2. Report the incident to the FBI or Secret Service and appropriate IRS investigators so that the IRS can implement appropriate procedures to protect your workers whose information was exposed in the W-2s.
  3. Prepare appropriate notifications (Incident Response Checklist) to the people whose information was exposed and be sure to stress to them that the IRS will never contact them directly, for the first time, via email, telephone, text message, social media or any way other than through a written “snail mail” letter from the IRS.