The number of reported incidents hits triple digits Credit: Magdalena Petrova Tax season doesn’t officially end in the United States until April 18. At last count, 110 organizations have reported successful Phishing attacks targeting W-2 records, placing more than 120,000 taxpayers at risk for identity fraud.Many of those working for the victimized firms have had a stressful time dealing with the fallout. Those who have experienced this unique type of crime say it’s a nightmare. Some of those affected have had fraudulent returns filed under their name, in addition to issues with educational expenses. In one case, the scammers created flexible spending accounts with their stolen identities.The Phishing attacks causing so much damage, also known as BEC (Business Email Compromise) attacks, are simple and effective. They exploit trust relationships within the office, and in many cases, exploit the routine practice of sharing data via email.According to the IRS, these attacks are some of the most dangerous email scams the agency has seen in a long time. “It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme,” IRS Commissioner, John Koskinen, remarked in a warning issued last month.Based on from the National Center for Education Statistics (NCES), employment figures at Glassdoor, and data provided by the victims when they disclose the incidents to the Attorney Generals of California, Vermont, New Hampshire, etc., more than 120,000 taxpayers have been affected by a BEC attack through no fault of their own. In 2016, Databreaches.net tracked 145 BEC victims. With more than five weeks left in the current tax season, the count sits at 110 (as of 03-13-17) and shows no signs of slowing. Dissent, the administrator of Databreaches.net, has been keeping a running list of BEC attacks in 2017, the latest updates are available on her website.As mentioned, those impacted by the BEC attacks have described the aftermath as a frustrating nightmare, one that drains them of time and in some cases money when their returns are delayed. Others are turning to the courts for answers.In January, Sunrun – a solar panel maker in San Francisco, CA – was victimized by scammers pretending to be the company CEO. They disclosed the incident, but now face a class action lawsuit over the matter.Salted Hash will continue to follow the BEC activities this tax season and update as new developments emerge. In the meantime, if you’ve been affected by a BEC attack, you should consult the IRS Guide to Identity Theft, and follow their advice.Add your comments on any scams you have come across to our Facebook page. Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe