Indiana distributor hit by W-2 scam twice in two years, more than 600 affected

Investigation revealed second successful attack in 2016

Monarch Beverage, Indiana's largest distributor of beer and wine, said they were victimized by scammers targeting W-2 records this week, affecting more than 600 employees.

However, the situation went from bad to worse after an internal investigation revealed that the company was also hit in 2016.

On January 24, someone posing as Phil Terry, Monarch's CEO, emailed an employee requesting copies of everyone's 2016 W-2 forms. Believing the request to be legitimate, the employee complied. The scammer's success was discovered on February 1.

An investigation was launched immediately, and that's when the second attack was discovered. In April of 2016, someone posing as Terry requested 2015 W-2 records, which were delivered as asked.

"Monarch Beverage discovered on February 1, 2017, that it was the victim of a ruse to gain unauthorized access to the company’s employees’ W2-forms, a statement given to CBS4 said.

"As soon as company officials discovered the loss of data, the company alerted law enforcement, including the FBI, local police, the IRS, the Indiana Attorney General and the Indiana Department of Revenue. We deeply regret that this has occurred and we offer our sincerest apologies to everyone affected.   Any current or former employee who may be affected has been provided with three years of credit protection services through Experian’s ProtectMyID"

Last week, another Indianapolis business was successfully targeted by W-2 scammers, impacting nearly 4,000 taxpayers.

The scams, also called BEC (Business Email Compromise) attacks, are Phishing attacks that exploit the trust relationships within a given business.

It isn't a technology problem though, it's a people and policy problem. Scammers are hoping to interact with organizations and people where sending such sensitive records via email is routine. Once that's accomplished, all the scammer has to do is convince the victim the request is legitimate, which usually only requires a spoofed email address and name.

As reported on Monday by Salted Hash, the IRS issued a new warning to businesses earlier this month about W-2 scams, urging them to stay alert. Monday's report also contains a number of updates, as new BEC victims were identified.

So far, more than 30,000 people have been affected by these scams across 31 different incidents.

In addition to the updates in Monday's story, Corsicana Independent School District reported that they were victimized by scammers on February 1; Verc Enterprises said someone spoofed a district manager's email address and requested W-2 records on January 21; and Adventist Health Tehachapi Valley says that about 250 current and former employees were affected after scammers obtained their W-2 records.

Salted Hash and are keeping a running list of BEC attacks this year, updating it as often as possible. The list is being maintained by Dissent at


Minutes after this story was published, Salted Hash learned that Alton Steel was victimized by a BEC attack on February 2. The company learned of the incident on Monday. The incident affects nearly 300 employees. The Alton Telegraph is reporting that at least seven employees are already victims of identity fraud, having discovered tax returns filed under their name.

The city of Twinsburg, Ohio has said that more than 500 city employees will be getting identity theft protection, after a scammer compromised their 2016 W-2 records. Some of the city employees are reporting fraudulent returns have been filed under their name.

Mohave Community College didn't disclose the number of employees affected, but scammers compromised the school's W-2 records. Staff were told about the incident on February 3.

Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)