I have talked about CEO fraud many times, e-mail attacks spoofing the boss and social engineering a high-risk employee into wiring funds to a bank account controlled by the bad guys.
And I probably also warned you against W-2 phishing, where scammers impersonate the boss and ask for a PDF with all employee tax forms. Per a new “urgent alert” issued by the U.S. Internal Revenue Service, internet criminals have now combined both schemes and at the same time are targeting a much wider range of organizations than ever before.
The IRS warned that phishers started this scam much earlier this year, attempting to extract W-2 data which can be used to file fraudulent tax refunds, duping the actual taxpayers. The agency alerted that the scammers also are targeting a much wider range of organizations in these W-2 phishing schemes, including school districts, healthcare organizations, chain restaurants, temporary staffing agencies, tribal organizations and nonprofits. People who are not required to file a return can still be victims of refund fraud, and even people who are not actually due a refund from the IRS.
Double Barrel Attack
W-2 phishers cooked up a new, more profitable scheme where after the successful W-2 phish they also attempt a cyberheist, looting the victim organization’s bank account. The IRS said that W-2 phishers now very often follow up with an “executive” email to the payroll or comptroller requesting that a wire transfer be made to a bank account they control.
“This is one of the most dangerous email phishing scams we’ve seen in a long time,” IRS Commissioner John Koskinen said. “Although not tax related, the wire transfer scam is being coupled with the W-2 scam email, and some companies have lost both employees’ W-2s and thousands of dollars.” W-2 phishing scams started in February last year, and caused lots of victims.
As Brian Krebs noted earlier this week, scammers are also now selling 2016 employee W-2 forms that were phished or otherwise stolen from victim organizations, peddling individual W-2 tax records for between $4 and $20 apiece.
Tax refund fraud affects hundreds of thousands, if not millions, of U.S. citizens annually. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.
The IRS says organizations receiving a W-2 scam email should forward it to firstname.lastname@example.org and place “W2 Scam” in the subject line. Organizations that receive the scams or fall victim to them should file a complaint with the Internet Crime Complaint Center (IC3,) operated by the FBI.
Employees whose Forms W-2 have been stolen should review the recommended actions by the Federal Trade Commission at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft. Employees should file a Form 14039 Identity Theft Affidavit, if the employee’s own tax return rejects because of a duplicate Social Security number or if instructed to do so by the IRS.
Author: Stu Sjouwerman
Originally appeared at https://blog.knowbe4.com/