Surge in W-2 Phishing Campaigns Results in FBI Warning Issued

March 3, 2018


The Federal Bureau of Investigation (FBI) has released a new warning for companies because of a major increase in phishing attacks attacking payroll employees. The objective of the phishing attacks is to download copies of the W-2 forms of employees. Data on the forms is used to perform identity theft and tax scam.

2017 saw highest numbers of phishing campaigns targeting companies, educational institutes, and healthcare groups. In some cases, the W-2 form data of thousands of workers were transmitted to scammers by payroll employees. The IRS informs that there were a minimum of 200 companies targeted and more than 900 complaints registered in relation to tax-related scams.

The Internal Revenue Service (IRS) Online Fraud Detection & Prevention division has been on the lookout for phishing cheats claiming to be the IRS and has recorded a sharp increase in electronic mail cheats. Although some electronic mail cheats have specifically targeted consumers, companies are most in danger.

Consumer-focused cheats usually involve IRS-themed electronic mails, while attacks on companies usually see company managers and the CEO personated. The electronic mails ask for copies of W-2 forms for employees who have worked in the past fiscal year.

The scammers usually research businesses to identify the style of electronic mails used, the identity of the CEO and managers, and payroll and accounts department employees to target. Some cheats include fooled electronic mail addresses, others have seen the electronic mails accounts of managers accessed, adding legality to the electronic mail requests.

In many cases, as soon as the attackers have copied W-2 Form data a further request is issued requesting a wire transfer. Many groups have fallen for these cheats, which might not be noticed for some time.

The electronic mail scams can be very credible and difficult to decipher, particularly when electronic mail accounts have been accessed. Nevertheless, if basic security best practices are adhered to, risk can be limited.

The FBI suggested that businesses take the following steps:

  • Limiting the number of employees who have access to worker tax data and are allowed to complete wire transfers.
  • Put in place processes that require changes to bank account information of sellers to be confirmed by phone with the telephone details taken from a contact list.
  • Procedures requiring wire transfers over a set threshold to be subjected to more rigorous security reviews, including confirmation by more than one staff member.
  • Wire transfers for all new trading partners and for non-standard dealings need dual approval, including foreign accounts transfers.
  • Out of band verification of all submitted requests for copies of W-2 Form and tax-related data.
  • Delay of dealings to allow additional verifications to be performed out.