Looking forward to your tax return?  You might be too late.  

The IRS issued a warning of one of the “most dangerous… email phishing scams we’ve seen in a long time.”  As a result, thousands of legitimate tax returns are being rejected, because scammers already filed fraudulent tax returns on behalf of the victims.  Using stolen W-2 information, scammers can file falsified tax returns, and the IRS issues your refund to those scammers.  When you get around to filing your legitimate tax return, the IRS database shows that you have already received your tax refund.

How are W-2 Phishing Scams happening?

Like many others, this phishing scam utilizes email to target victims.  Scammers employ a disguised email address that appears to come from an organization executive, and often targets payroll or human resources departments. This scam is sometimes referred to as business email compromise (BEC) or CEO fraud.

What makes this attack so “dangerous” and successful, is that it combines two highly effective  scams to create a new super-phishing-scam.  

The first piece of the scam is an email sent to an employee in the payroll or human resources department, requesting a list of all employees and their W-2 Forms. The employee, thinking they are following their employer’s demands, sends all sensitive tax information to the hacker.

If the W-2 swindle is successful, the scammers follow-up with a request for a wire transfer into a certain account.  “Although not tax related, the wire transfer scam is being coupled with the W-2 scam email, and some companies have lost both employees’ W-2s and thousands of dollars,” says the IRS in their alert.  

Hackers have plenty of incentive to steal your information, because outside of receiving your tax refund, an individual W-2 form can garner as much as $20 per record on the black market.  Almost all of the data needed to file a falsified tax refund with the IRS is contained on your W-2 form, like your name, employer name, employer ID, address, taxpayer address, Social Security Number (SSN), and your 2016 wages and tax withholdings.

How many people are being affected?

While these W-2 phishing scams are not new, the IRS reports that phishers are starting earlier, than in years past, to steal W-2 data so that they can file fraudulent tax refund requests on your behalf.  The IRS also warns that cyber criminals have broadened their attacks to include healthcare organizations, school districts, restaurant chains, nonprofits, tribal organizations, and staffing agencies.

In the wire fraud scam alone, the Federal Bureau of Investigation (FBI) estimates that criminals have stolen $3.1 billion from over 22,000 victims.  That is roughly $140,000 per victim.  While no figures have been released regarding the W-2 phishing schemes, this scam made its rounds last tax season, with hundreds of companies victimized, including  major corporations like Seagate Technology, Snapchat, Moneytree, and Sprouts Farmer’s Market. So far this year, dozens of organizations have fallen victim to the W2 phishing scam including multiple school districts, SunRun, and Monarch Beverage.

What do I do if I have been a victim of a W-2 phishing scam?

If you believe you have received a W-2 phishing email, the IRS advises organizations to forward the email to phishing@irs.gov and place “W2 Scam” in the subject line.  If your organization has fallen victim, then you should file a complaint with the FBI-run website, Internet Crime Complaint Center (IC3).

If you’re an employee and your tax return has been rejected, because of a duplicate Social Security Number (SSN), then file a Form 14039 Identity Theft Affidavit.  If you’re an employee and your W-2 Forms have been stolen, then follow the recommended action here by the Federal Trade Commission (FTC), or the IRS’s page for identify theft.

Tax refund fraud affects hundreds of thousands, if not millions, of U.S. citizens annually. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

How do I prevent W-2 phishing scams?

You will not be able to prevent phishing attempts, but there is a lot you can do to minimize the likelihood of a breach, and the potential damage that an attacker can inflict upon you, or your organization. There are a few steps you can take to prevent phishing scams:

  • File your tax returns as soon as possible. - If you file your tax return, before the scammer, this won’t stop a phisher from seizing your data, but it does prevent them from seizing your tax refund.  If you file first, then the scammer will be receiving the IRS tax refund rejection letter, not you.
  • Enable two-factor authentication for your email address(es). - This security feature minimizes the chances that an attacker can gain access to your business email address, which scammers can leverage to authorize financial transactions, or to gain sensitive data.
  • Use two-factor authentication for major banking transactions. - Two-step authentication for major banking transactions, just means that if you use email, for example, to trigger the execution of major transactions, then you should also have a policy in place that requires a second form of communication (like a phone call, or in-person) to the one requesting the transaction to verify that the request is legitimate.
  • Limit the amount of published information of employee activities online. - While we live in the age of social media where businesses often publish personal information to humanize their business entity to the public, companies also need to be aware that attackers can utilize that information to carry out their plots.  For example, if an attacker discovers that an executive will be out of the office, they now know when a good time to carry out an attack will be.

Breadcrumb is a cybersecurity and executive advisory firm. Located in Central California, we partner with organizations throughout the US, protecting their critical assets from cyber breach. Contact us today for a no-obligation consultation.

Author: Jennifer Guidry, CMO