Last week, the Internal Revenue Service (IRS) issued a new warning to employers, urging them to stay alert as reports of compromised W-2 records started to climb. This newest advisory aligns with the agency's plan to delay refunds for those filing their returns early in order to combat identity theft and fraud.
The IRS also informed employers the W-2 scam has moved beyond corporations, expanding to include schools, tribal organizations, and nonprofits.
In a statement, IRS Commissioner, John Koskinen, said the scams - sometimes known as Business Email Compromise (BEC) attacks - are some of the most dangerous email scams the agency has seen in a long time.
"It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme," Koskinen said.
In 2016, at least 145 organizations fell victim to BEC scams, exposing tens of thousands of employees to tax fraud and identity theft. Salted Hash kept track of some of the high-profile cases, and Databreaches.net tracked everything, resulting in a massive list of documented successful attacks.
As of February 5, 23 organizations have disclosed BEC-related data breaches publicly, each one resulting in compromised W-2 data.
Based on data provided by the victims, as well as data from the National Center for Education Statistics (NCES) and employment figures at Glassdoor, the successful BEC attacks have affected at least 29,534 taxpayers.
The confirmed BEC victims include ten school systems, a software development firm, a utility company in Pennsylvania, at least one restaurant in Indianapolis, and businesses operating within the healthcare, finance, manufacturing, and energy sectors.
Update: Earlier today (February 6), Salted Hash learned of another BEC victim. Distribution International emailed employees that their W-2 data was compromised on January 27. Their notification expands the number of affected taxpayers to more than 30,000.
2/7/2017: Sky Climber, LLC. emailed employees about an attack on January 23. The scammers spoofed an email and pretended to be one of the company's owners. W-2 records for all companies and all employees were compromised. The total number of people impacted is unknown. Salted Hash reached out to Sky Climber's CFO, Jeff Caswell, for more information.
Also, the College of Southern Idaho has reported an incident that could impact 3,000 employees. According to Public Information Officer Doug Maughan, the W-2 records affected belong to seasonal and auxiliary staff.
Palomar College disclosed an attack on January 30, which affected employee W-2 records. The school didn't say the incident was the result of a BEC attack, but Salted Hash is listing it anyway due to the timing of the attack and the information targeted.
Finally today, the West Michigan Whitecaps - a Class A minor league baseball team affiliated with the Detroit Tigers - said staff W-2 records were compromised after someone posing as a manager requested them.
In 2016, the criminals behind the BEC attacks mostly focused on payroll and tax records. This year though, the IRS says that in addition to the usual records request, the scammers are now following-up and requesting wire transfers.
"Although not tax related, the wire transfer scam is being coupled with the W-2 scam email, and some companies have lost both employees’ W-2s and thousands of dollars due to wire transfers," the IRS explained in their warning.
"Employers should consider creating an internal policy, if one is lacking, on the distribution of employee W-2 information and conducting wire transfers."
Background: What are BEC attacks?
BEC attacks are essentially Phishing scams, or Spear Phishing since the criminals have a specific target. They're effective too, exploiting the trust relationships that exist within the corporate environment.
In a majority of the reported cases from 2016, the attackers forged an email and pretended to be the victim organization's top executive, or someone with direct authority. Often it is the CEO or CFO, but any high-level manager will work.
The message, usually sent to someone in Human Resources or payroll, isn't subtle – the attackers clearly identify the type of data they're after.
The three examples below have been seen recently, but they're similar to the messages criminals sent last year.
Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
I want you to send me the list of W-2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.
The messages change between attacks, but the examples provided by the IRS offer a clear teaching tool – do any of those requests "sound" like your CEO, or CFO? Would someone working in administration request those records using this wording?
Context is key. These examples sound wrong when you read them out loud. But strange wording or not - clearly they're working.
It's worth noting, some criminals have used customized email templates and compromised company accounts to pull off similar scams. The attacker words their message to match the style of the person who is supposed to be making the request. In those situations, a passive read might not be enough to determine if the request is a scam.
BEC isn't a tech problem
BEC attacks can't be fixed with a single tool or security product. Successful attacks are the result of humans being human and poor data control policies.
Again, the criminals behind these attacks are looking to take advantage of a typical workflow where protected information is normally shared via email, especially with executives.
In their eyes, it's purely a numbers game – one that's paying off in the long run.
Salted Hash and Databreaches.net will keep track of BEC attacks this tax season, updating as often as possible once the details become public. The list being maintained by Dissent at Databreaches.net is available now.
Dealing with the aftermath of a BEC attack
If you've been impacted by a W-2 scam, follow the advice published by the Federal Trade Commission (FTC), as well as the advice published by the IRS.
In addition, anyone who has had their Social Security Number compromised in a data breach, or has had their e-file return rejected as a duplicate, needs to submit a Form 14039 - Identity Theft Affidavit.
This form is also required if someone has been contacted by the IRS via USPS, and informed they may be a victim of identity theft tax fraud.
Want to add your rant about this scam? Head to Facebook.