Phishing attacks targeting W-2 data hit 41 organizations in Q1 2016

Criminals have successfully targeted 41 organizations this quarter

w 2 form
Credit: frankieleon

In the first quarter of 2016, more than three dozen businesses have been victimized by Phishing attacks targeting employee tax records. The scams have impacted organizations both large and small, playing on fear and basic human nature in order to succeed.

Since January, Salted Hash has kept an eye on the number of BEC (Business Email Compromise / Correspondence) attacks taking place online.

BEC attacks are essentially a more focused variant of Spear Phishing, and more often than not the ultimate goal is tax information that can be used to obtain fraudulent returns.

According to a report released by PhishLabs earlier this year, the number of organizations targeted by BEC attacks grew tremendously in 2015, as attackers refined their techniques and sought new victims. As 2015 rolled into 2016, that trend showed no sign of slowing.

On March 1, the Internal Revenue Service issued an alert to payroll and HR professionals about the growing trend of BEC attacks targeting W-2 and other tax related data.

These types of attacks play on the trust relationships that exist within the company.

Some of them spoof the email address of the CEO or CFO, a person with authority, causing the employee receiving the message to hesitate when it comes to denying the request. Often, refusal isn't an option because no one wants to tell the boss no. Other attacks abuse trust by taking advantage of human nature, or specifically a person's general willingness to help.

Awareness programs are frequently cited as the answer for these types of attacks. But awareness programs that focus on disrupting trust between co-workers or senior staff are doomed from the start. The key is empowerment, enabling employees to question requests for sensitive data no matter the source – and training them alert key members of the organization if something feels suspicious.

Furthermore, when it comes to personal or financial information, organizations should implement a policy that requires verification from a second person. Even better, include the IT or security team, especially if the request originated via email.

Empowerment and verification alongside awareness training are human answers to a human problem, and they're needed because technology alone won't save a company looking to fight these types of attacks.

"No type of anti-virus can protect an organization from being the victim of this type of attack. So, once that email shows up in the inbox of that employee in the payroll department, it’s game-on. Until organizations become more proactive in training their employees to look for the signs of this now all-too-common phishing scam, the attacks will continue into the foreseeable future," said Nathan Sorrentino, of STEALTHbits Technologies.

In the list below, the organizations mentioned have publicly disclosed BEC attacks that successfully targeted W-2 or payroll information.

Unless noted otherwise, W-2 data means the attacks compromised some or all of the following: Names, home addresses, salary information, withholding information, and Social Security Numbers.

March 2016:

  • Seagate Technology (March 1) – A Phishing attack compromised 2015 W-2 information for all U.S. employees or affiliate employees. [Notification]

  • Snapchat (March 1) – A Phishing email, spoofed to look as if it came from the company CEO, compromised payroll information (W-2) for current and former employees. [Notification]

  • Central Concrete Supply Co. Inc. (March 1) – A Phishing email sent on February 23 compromised 2015 W-2 information on employees who worked for Central Concrete Supply Co., Inc., Right Away Redy Mix, Inc., or Rock Transport, Inc. [Notification]

  • Main Line Health (March 1) – A Phishing email sent on February 16, spoofed to make it look as if the message came from a company executive, compromised W-2 information on all employees. The company learned of the incident during an internal audit following the public warning about such scams issued by the IRS.

  • Turner Construction Company (March 2) – A Phishing attack compromised W-2 information. Employee addresses and birthdays were not exposed. [Notification]

  • Actifio Inc. (March 2) – On February 3, a Phishing email compromised employee data, which included payroll and tax information. The compromised data includes name, address, date of birth, salary information, and Social Security Number. [Notification]

  • Billy Casper Golf (March 3) – On February 26, a Phishing attack compromised 2015 W-2 data for all employees. The company said that the email requesting the documents was spoofed to look as if it came from the CEO. [Notification]

  • Evening Post Industries (March 3) – A Phishing email sent on February 26, spoofed to appear as if the request was coming from the CEO, compromised 2015 W-2 information for all employees at the company and its affiliates. [Notification]

  • DataXu Inc. (March 3) – A brief disclosure to the New Hampshire Attorney General's office says that on February 18, a Phishing email compromised employee records, including names, addresses, salary details, and Social Security Numbers. [Notification]

  • Information Innovators Inc. (March 3) – A Phishing email sent on February 26, spoofed to look like an internal communication, compromised 2015 W-2 data for all employees. [Notification]

  • York Hospital (March 4) – A Phishing attack on February 22 compromised 2015 W-2 information. [Notification]

  • Acronis (March 4) – A Phishing attack on February 28 compromised W-2 information for all employees. The Phishing email itself was forged so that it looked like the request came from the CEO directly. [Notification]

  • Moneytree (March 4)Reporter Brian Krebs reported that a Phishing email targeted W-2 information, and that all employees.

  • General Communications Inc. (March 4) – A Phishing email sent on February 24, compromised the 2015 W-2 data for all CGI, Denali Media, UUI and Unicom employees. The employee who received the Phishing email initially questioned it, but when the attacker persisted, they eventually released the information. [Notification]

  • Advance Auto Parts (March 7) – A Phishing attack compromised 2015 W-2 information. The Phishing email itself was spoofed to look as if it were an internal communication. [Notification]

  • Applied Systems Inc. (March 7) – A Phishing email on February 19 compromised 2015 W-2 information. The employee who was victimized by the scam had their access to such information revoked. Only US employees were impacted by this incident. [Notification]

  • eClinicalWorks (March 7) – A Phishing email sent on February 22, spoofed to look as if it came from a company executive, compromised 2015 W-2 information on both current and former employees. [Notification]

  • LAZ Parking (March 9) – On February 17, a Phishing attack compromised W-2 information. The Phishing email itself was spoofed to look like it came from a company executive. [Notification]

  • Endologix Inc. (March 9) – A Phishing email sent on March 3, spoofed to appear as if it were an internal request, compromised the W-2 information for both current and former TriVascular employees. [Notification]

  • ConvaTec Inc. (March 9) – A Phishing email sent on February 29, spoofed to look as if it came from an company executive, compromised W-2 data for all employees. [Notification]

  • Care.com (March 10) – A Phishing email sent on March 3 compromised W-2 data for Care.com's US-based subsidiaries (Breedlove & Associated, Care Concierge, and Citrus Lane). [Notification]

  • Foss Manufacturing Company (March 11) – A phishing email compromised 2015 W-2 data for all employees. [Notification]

  • Mitchell International Inc. (March 11) – A Phishing email sent on February 24, spoofed to look like it had come from a company executive, compromised W-2 on current and former employees. The incident was discovered on March 3. [Notification]

  • Matrix Service Company (March 11) – A Phishing email sent on February 3, spoofed to look as if it came from the company's CEO, compromised W-2 data for all active employees, including subsidiary companies. [Notification]

  • SevOne (March 14) – A Phishing email sent on March 7 compromised the 2015 W-2 records of all current and former employees. [Notification]

  • PerkinElmer, Inc. (March 15) – A Phishing email, sent on February 24 and spoofed to look like an internal request, compromised employee information including names, addresses, birthdays, Social Security Numbers, titles, and more. [Notification]

  • SalientCRGT (March 15) – A Phishing email sent on February 16, spoofed to look as if it came form the company CFO, compromised 2015 W-2 data on all current and former employees. [Notification]

  • Netcracker Technology Corporation (March 17) – A Phishing email sent on March 10, spoofed to look as if it came from the company's CEO, compromised W-2 information for all employees. [Notification]

  • Lanyon Solutions Inc. (March 18) – A Phishing email sent on March 10, spoofed to look as if it came from a company executive, compromised employee 2015 W-2 records. [Notification]

  • Dynamic Aviation (March 18) – A Phishing email sent on March 11 compromised 2015 W-2 information for all employees. [Notification]

  • CareCentrix (March 21) – A Phishing email sent on February 24, spoofed to look as if the message came from an internal employee, compromised 2015 W-2 information for all employees. The incident was discovered on March 7. [Notification]

  • Lamps Plus and Pacific Coast Lighting (March 23) – On February 11, a Phishing attack compromised 2015 W-2 data for all company employees. The email was spoofed to appear as if were an internal communication. The company discovered the breach during an internal audit, as employees reported that tax returns had already been filed under their name. [Notification]

  • Sprouts Farmers Market (March 23)Media reports and confirmation from the company directly say that a Phishing attack, spoofed to make the message look as if it came form a company executive, compromised employee W-2 information for all employees.

February 2016:

  • BrightView (February 3) – A Phishing email sent on February 3 compromised W-2 information on all employees active on a legacy payroll system. [Notification]

  • Magnolia Health Corporation (February 3) – A Phishing email, impersonating the company CEO, requested W-2 information for all active employees of Magnolia and each of the facilities managed by them, including Twin Oaks Assisted Living, Inc., Twin Oaks Rehabilitation And Nursing Center, Inc., Porterville Convalescent, Inc., Kaweah Manor, Inc. and Merritt Manor, Inc. The data was compiled into an Excel spreadsheet and delivered. The scam was discovered on February 10. [Notification]

  • Polycom (February 5) – The communications company said a Phishing attack W-2 information, but only US-based employees are impacted. [Notification]

  • WorkCare (February 18) – A Phishing email compromised W-2 information on all current and former employees. [Notification]

  • Mercy Housing (February 19) – 2015 W-2 data compromised by a Phishing scam targeting the company's payroll department. All company employees were impacted. [Notification]

  • Pharm-Olam International (February 23) – The company reports that a Phishing scam acquired 2015 W-2 data. The incident impacted U.S. employees only. [Notification]

  • AmeriPride Services Inc. (February 25) – A Phishing attack compromised W-2 information. The email was spoofed to look as if it came from within the company. The incident impacted only those U.S. employees that were paid bi-weekly out of the Corporate Resource Center. [Notification]

January 2016:

  • Robert Rauschenberg Foundation (January 25) – A Phishing attack successfully compromised various information. The company says exposed records included names, addresses, date of birth, Social Security Numbers, passport numbers, phone numbers, email addresses, credit cards, and banking details. [NH Notification] [Vermont Notification]


Non-Phishing (Tax-related data breaches):

TaxAct (January 11) reported that between November 10 and December 4, 2015 someone used credentials obtained elsewhere to access customer accounts. Successful attempts exposed stored tax returns.


TaxSlayer (January 29)
reported that between October 10 and December 21, 2015 someone used credentials obtained elsewhere to access their customer's tax documents. Successful attempts allowed access to 2014 tax returns.


TurboTax (February 10) reported that between January 26 and February 1, 2016 someone used credentials obtained elsewhere to access customer accounts. Successful access exposed in-process tax returns or the prior year's completed tax return. The company issued another notification on March 16, 2016, alerting customers to similar incidents that took place between February 24 and February 29.


Lewis, Kisch & Associates, Ltd. (March 7) reported that a network compromised enabled access to client files. The data compromised included tax returns, and the related information including names, addresses, Social Security Numbers, and financial account information. [Notification]

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.