Thousands of taxpayers have been impacted by a wave of Phishing attacks targeting W-2 records, with more than sixty organizations reporting such incidents in the first half of the year.
By taking advantage of the trust relationships that exist within a given company; these attacks have resulted in at least $2.3 billion in losses over the last three years.
Business Email Compromise / Correspondence attacks (BEC attacks) aren't overly clever, but they're effective. A person with authority is impersonated, and a lower-level staffer is asked to share W-2 records or related payroll information. That's all there is to it.
Because the request looks and feels legitimate, the employee usually complies, but there have been a few cases where the scam was flagged before any damage could be done.
Last month, Jonathan Sander, vice president at Lieberman Software, remarked to Salted Hash that the common theme in each successful attack is also the reason why the success rate should be zero.
"The employee shouldn’t have been able to access that much data without some sort of oversight kicking in. The fact that a single employee, for any reason, could grab so much data and simply send it to anyone, regardless of who they think that person is, is a scary prospect when you stop to think about it. Of course, you can also ask why an employee would be fooled into thinking that an executive would be making such a sweeping request," Sander said.
In the first quarter of 2016, at least 41 organizations were victimized by BEC attacks, but that number is closer to 70 when additional disclosures are counted. Some organizations were successfully hit earlier in the year, but only just recently discovered the problem, delaying notification.
On April 25, GoldKey | PHR, a hotel management company that controls a large part of the rooms on Virginia Beach, disclosed that W-2 information was compromised on February 29, but this fact wasn't discovered until April 3. The cause of the breach was listed as a "criminal Phishing email" and impacted at least 3,000 people.
Also on April 25, NetBrain Technologies Inc., a network visualization firm based in Burlington, Massachusetts, said someone posed as a company executive and requested 2015 W-2 data on March 3. The documents were delivered as asked, impacting all employees.
On April 12, the Girl Scouts of Gulfcoast Florida disclosed that on March 17, someone impersonated the author of the notice itself, Betsy Laughlin, the Director of Finance, and requested 2015 W-2 records. Because the request was spoofed to appear as if she sent it, the employee who received it didn't hesitate.
On April 26, Michels Corporation, a contractor based in Brownsville, Wisconsin, disclosed that a company executive was impersonated by a scammer, requesting 2015 W-2 records. The incident occurred on April 16, and impacted more than 5,000 current and former employees.
With a low barrier of entry to launch such a campaign, and an even lower overhead, criminals show no signs of slowing when it comes to targeting W-2 information. Even if the stolen data isn't used immediately, it can be compiled and sold for a number of different uses.
"If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees," IRS Commissioner John Koskinen said in a statement issued earlier this year with a memo warning about the rise in BEC attacks.
Many of the firms that have disclosed these incidents report that employees have detected tax fraud, which seems to be the ultimate goal in these attacks. Since 2015, the FBI says there has been a 270-percent increase in the number of identified victims and exposed losses.