With the 2019 tax season reaching full throttle, a volatile mix of conditions could fuel an unprecedented barrage of W-2 phishing scams through mid-April this year. For the businesses and employees who fall victim, the results can be disastrous.
W-2s, of course, are the IRS documents that United States businesses provide employees after the end of each year, documenting the employee's earnings, tax withholding, Social Security number, and address. The employee must include the information from the W-2 on their income tax returns.
These forms contain highly valuable personal information that cybercriminal organizations can monetize in any number of ways. For one thing, they can use it to file fraudulent tax returns. In 2017, between $1.68 billion and $2.31 billion was paid out in refunds that may have been claimed fraudulently through identity theft in the 2016 tax year. Last year, another $1.6 billion in fraudulent returns is estimated to have been paid out.
The information on W-2s can also be used to feed the growing marketplace for stolen identity information online. As it stands, W-2s can sell for between $4 and $20 on the Dark Web. So it's no wonder that there has been an 83% increase in the number of attacks targeting HR departments according to the 2018 Verizon Data Breach report. To make matters worse, these malicious schemes have been rapidly growing beyond corporate America to small businesses, school districts, universities, and even charities.
Taking the Bait
At their most basic, W-2 phishing scams are a form of business email compromise (BEC) attacks. Except, where most email fraud is designed to manipulate employees into revealing login credentials or making wire transfers, these schemes are used to harvest W-2 information from employers en masse.
A typical scenario involves a phishing email purporting to come from the CEO, CFO, or other senior executive within the target company, which is sent to an employee in the organization's human resources or payroll departments. In most cases, the executive has an urgent request such as the following:
"I'm at a conference this week and I need to answer a query from the board—please send me an updated list of employees, including their 2018 W-2 and earnings summary in PDF form. I'm betwen [sic] sessions, so please send to me ASAP. Thank you."
The recipient, thrown off guard and eager to please senior executives, hurries to get the file sent before the requester grows impatient. There's no reason to be suspicious of the request—the name and address of the executive follow company email conventions. And the executive is indeed at a conference all week.
It's not until sometime after the unwitting employee hits "send" that he, or someone else in the company, will discover the con. In fact, many won't know until a number of employees discover that the IRS has turned down their own legitimate return.
With this year's 33-day government shutdown, many may not learn of the fraud until well after the April 15 tax filing deadline. As it stands now, all signs point to an increase in such cons either way.
Traditional Email Security Systems Are Defenseless
According to the Q1 2019 Email Fraud & Identity Deception Trends report from our cyber intelligence unit, IRS impersonation attacks surged in the fourth quarter of 2018, and was impersonated in nearly 1 in every 10 attacks, compared to less than 1% of attacks from July through September.
In instances when these attacks target businesses as part of W-2 scams, Secure Email Gateways (SEGs) and other security technologies that organizations have in place are unable to detect them because of the advanced identity deception techniques fraudsters use in their impersonations.
For example, cyber-thieves can use display name deception to mask phishing emails from webmail accounts to leverage trusted infrastructures such as Gmail, Yahoo, or Microsoft. Using simple, text-based email messages without malicious links or malware, these messages evade systems designed to scan for content or payloads. When such attacks are launched from a compromised email account within the same organization, the likelihood they'll be detected is small.
As a result, many organizations are discovering they need to take an entirely different approach to email security in light of these trends. Instead of relying solely on analyzing content and infrastructure, Cloud Email Protection uses a modern, artificial intelligence-based solution designed to map communications between individuals, organizations, and infrastructures in order to spot anomalies that may signal fraud.
By integrating advanced machine learning technologies and real-time, global identity intelligence to recognize and infer the relationship between sender and receiver, Agari can spot telemetric and behavioral anomalies and block advanced email attacks.
A Scam for All Seasons
Unfortunately, tax fraud is just one of the ways cybercriminal organizations use the information found on W-2s. Those online marketplaces for stolen identity data I mentioned above can pay big dividends. Once acquired by other cyberthieves, the same information can be used for any number of identity theft-based swindles that are expected to result in $5.2 trillion in global business losses and additional operational costs over the next five years.
All this means that having solutions in place that can effectively detect, defend, and deter against these phishing assaults is imperative—on April 15th and every other day of the year.
To learn more about phishing and other advanced email threats, download Stop Identity-Based Email Attacks.