How to avoid falling for the W-2 phishing scam

While this blog is nominally mine, I don’t come up with ideas in a vacuum. This article on W-2 scams sprung from a conversation I had with my colleague Steve Williams, who ended up being my co-author. Check out more about him at the end of this piece.

Multiple times each year, LinkedIn feeds and information security forums light up with examples of the latest and greatest versions of phishing attacks. Most recently the hot stories have been about a simple targeted request that avoids links, attachments, and malware, plays friendly with email filters, and appears extremely urgent to the recipient. This form of phishing is known as the W-2 scam.

+ Also on Network World: Reaching the cybersecurity tipping point +

According to CSO Online, W-2 scammers compromised the information of 29,000 employees across 23 organizations in the first two months of 2017. Victim organizations ran the gamut from schools and nonprofits to restaurants, software companies, and public utilities.

The W-2 scam tries to take advantage of folks in accounting, controller and HR roles by presenting urgent requests for employee W-2 information. These messages arrive during a time of the year when individuals in these roles fully expect to receive messages from time-stressed CFOs or even CEOs requesting urgent action. In this scenario, attackers pair social engineering and phishing to put the sensitive personal information of employees at risk. All this based on a well-timed email request, a decision made in the moment, and the SEND button.

W-2 scam: The right message at the right time

The W-2 scam ranks up there with some of the more impressive phishing attack methods. It proves that the right message sent to the right person at the right time can provide immediate results. But why leave the benefit of this tactic to the bad guys? The idea of getting the right content to the right people is one that we good guys should be eager to exploit. If the combination of role-based phishing and social engineering can be this effective in getting people to do the wrong thing, then perhaps we should be looking for opportunities to use similar tactics to get them to do the right thing. If we can use precise targeting and timing for security awareness, perhaps we can tip employees in the right direction.

After all, it makes no sense to educate everyone on the W-2 scam. Training all your outside sales representatives (or call center reps or developers or drivers, etc.) on the W-2 scam would be a misdirected effort because the scenario doesn’t align particularly well with their role or access level.

In contrast, any individual with access to payroll systems and employee tax information should get some immediate and meaningful form of training on this scenario. This means more than a “watch out for this” message, which may get buried in an inbox.

To get real results, a better approach would be to use simulated W-2 scam emails sent just to those who are susceptible. For those who report the attempts, immediate positive feedback is in order. For those who fall victim, immediate (but still positive) education is needed. Now you’re getting the right content to the right people at the right time—just like the scammers.

Of course, you’ll have to set up similarly realistic and irresistible simulated phishing temptations for your other employees—perhaps purchase orders for the sales team or urgent customer requests for your customer service reps. But you’ll quickly find much more meaningful results than anti-phishing training that gets set on auto-pilot with random templates and similarly random feedback.

While phishing simulations can help improve decision making and reduce susceptibility to these threats, security awareness that includes a “what to do” component blended with “what not to do” helps empower people to make the right call when it matters.

Victory over W-2 scam

One organization reported a victory over the W-2 scam through their own internal “multi-factor authentication” process. This process required that any fund transfers or requests for sensitive information be reviewed and approved by two team members and then reviewed once more before being completed by a third individual. This process leveraged the “multi-factor” capabilities of people and shut down the scam when the second individual reviewing the request noticed inconsistencies within the email and quickly confirmed that the CEO never made this request.

To play defense effectively and win, you have to study the attacker’s playbook and tendencies. In the case of social engineering and phishing scams, they’ve got a page or maybe even several chapters in the playbook for role-based attacks.

The W-2 scam provides us with yet another example of how a security awareness program that adapts and mobilizes in response to trending threats—and provides targeted content to specific roles—offers a distinct advantage over the “one size fits all” approach. It comes down to this: Cybercriminals are getting crafty; we’ve got to get crafty too.

About Steve Williams: Steve is the Director of Strategic Partnerships at MediaPro and has spent the past four years helping companies develop, launch and enhance their security awareness and data privacy programs. Steve has worked alongside and been taught by some of the most recognized security awareness and social engineering experts. Steve currently oversees MediaPro’s global partnership program, working to bring together talented security and privacy minded companies to better equip people with the knowledge needed to protect and defend against today’s threats to information and privacy.