New W-2 Phishing Scam Hits Businesses Twice| By |Luke Robbins

Well, it’s tax season again, which means it’s also W-2 theft season. This year’s phishing ploy is a new variation on one that first appeared last year, and this time the scammers aren’t content with just employee social security numbers; along with businesses, cybercriminals are also targeting schools, hospitals, non-profits, and even tribal organizations.

According to the IRS website, here’s how it works: “Cybercriminals use various spoofing techniques to disguise an email to make it appear as if it is from an organization executive. The email is sent to an employee in the payroll or human resources departments, requesting a list of all employees and their Forms W-2.”

To add insult to injury, the cybercriminals are double-dipping this year: after the initial email, they follow up “with an ‘executive’ email to the payroll or comptroller and ask that a wire transfer also be made to a certain account.” As a result, businesses are losing thousands of dollars along with sensitive employee information.

This kind of social engineering is not new, but most organizations are still not prepared to handle this increasingly common attack. Most employees believe that they wouldn’t fall for a scam like this, but it’s important to remember that these are not the kind of typo-ridden emails you’d get from ‘a Nigerian Prince’ – they’re highly-researched, highly-sophisticated and often quite difficult to discern from legitimate emails.

Common tactics include:

  • Spoofing emails to appear as though they’re coming from a higher-up in the company
  • Including details specific to the company or even the employee, adding legitimacy to the email
  • Putting some sort of pressure on the recipient, demanding the information and scaring the victim with fake repercussions if they don’t comply immediately

So how do you combat this kind of attack? With clearly defined organizational protocols, training and testing. Criminals get away with these emails when employees are confused or unsure about if and how they should alert a superior. But if you know that there is an established process for distributing sensitive information, and someone is trying to override that, you’ll be more likely to double check before handing over the info.

The IRS has urged those affected by the scam to report these thefts immediately so that the agency can prevent any tax-related identity theft from occurring. They have also provided guidelines for reporting the scam and general principles for staying safe online.

As always, stay vigilant. Tax season is painful enough, don’t let scammers make it even worse!

This article was originally published on

via Technology & Innovation Articles on Business 2 Community


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s