More than 120,000 affected by W-2 Phishing scams this tax season

The number of reported incidents hits triple digits

IRS
Magdalena Petrova

Tax season doesn't officially end in the United States until April 18. At last count, 110 organizations have reported successful Phishing attacks targeting W-2 records, placing more than 120,000 taxpayers at risk for identity fraud.

Many of those working for the victimized firms have had a stressful time dealing with the fallout. Those who have experienced this unique type of crime say it's a nightmare. Some of those affected have had fraudulent returns filed under their name, in addition to issues with educational expenses. In one case, the scammers created flexible spending accounts with their stolen identities.

The Phishing attacks causing so much damage, also known as BEC (Business Email Compromise) attacks, are simple and effective. They exploit trust relationships within the office, and in many cases, exploit the routine practice of sharing data via email.

According to the IRS, these attacks are some of the most dangerous email scams the agency has seen in a long time.

"It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme," IRS Commissioner, John Koskinen, remarked in a warning issued last month.

Based on from the National Center for Education Statistics (NCES), employment figures at Glassdoor, and data provided by the victims when they disclose the incidents to the Attorney Generals of California, Vermont, New Hampshire, etc., more than 120,000 taxpayers have been affected by a BEC attack through no fault of their own.

In 2016, Databreaches.net tracked 145 BEC victims. With more than five weeks left in the current tax season, the count sits at 110 (as of 03-13-17) and shows no signs of slowing. Dissent, the administrator of Databreaches.net, has been keeping a running list of BEC attacks in 2017, the latest updates are available on her website.

As mentioned, those impacted by the BEC attacks have described the aftermath as a frustrating nightmare, one that drains them of time and in some cases money when their returns are delayed. Others are turning to the courts for answers.

In January, Sunrun – a solar panel maker in San Francisco, CA – was victimized by scammers pretending to be the company CEO. They disclosed the incident, but now face a class action lawsuit over the matter.

Salted Hash will continue to follow the BEC activities this tax season and update as new developments emerge. In the meantime, if you've been affected by a BEC attack, you should consult the IRS Guide to Identity Theft, and follow their advice.

Add your comments on any scams you have come across to our Facebook page.

New! Download the State of Cybercrime 2017 report