If it works, keep doing it—and make it better. That seems to be the philosophy of some identity thieves. Of course, “better” for them is “worse” for the rest of us. In this case, the issue is a scam that caught a lot of attention last year—the Form W-2 phishing scam—combined with an older, wire-transfer scam. As a result, thieves are using email to target some organizations in two ways.
Spoofing an executive
Here’s how the W-2 scam works. Cybercriminals use spoofing techniques to have an email appear to come from an organization’s executive. The thieves send the email to a specific employee in human resources or payroll, requesting a list of all employees and their Forms W-2.
Because the email appears to come from an executive, some employees feel a sense of urgency to reply with what was requested. Of course, W-2 forms give identity thieves everything they need to commit a variety of crimes, including filing fraudulent income tax returns.
Wire transfer scam
In the latest twist, the cybercriminal follows up with another “executive” email to someone with financial oversight, asking the recipient to make a wire transfer to the criminal’s bank account. While not tax related, the wire transfer scam has been coupled with the W-2 scam, and some organizations have lost both employee W-2s and thousands of dollars in wire transfers. Ugh.
Internal Revenue Service Commissioner John Koskinen called this “one of the most dangerous email phishing scams we’ve seen in a long time.” He said it could result in the large-scale theft of sensitive data.
An IRS urgent alert
The IRS this week issued an urgent alert to call attention to the two-edged scam. The agency also said that W-2 phishing scam attacks had spread from the corporate world to other sectors, including school districts, tribal organizations, and nonprofits.
In its alert, the IRS said organizations who receive a W-2 scam email should forward it to email@example.com and place “W2 Scam” in the subject line. Whether victimized or not, organizations should also file a complaint with the Internet Crime Complaint Center (IC3), operated by the Federal Bureau of Investigation.
Be careful with online “tax” searches
One other tip from the IRS in its alert—Be leery of using search engines to find technical help with taxes or tax software. Selecting the wrong link could lead you to an infected computer and possible loss of data.
No doubt, email phishing attacks will continue and evolve, for no other reason than they’re relatively simple to execute. And even if only a small percentage of attacks actually pay off for cybercriminals, that payoff can be big—doubly so if an organization falls victim to both the W-2 and wire-transfer scams.
Be careful out there—and remind your favorite organizations that they should also be careful.
Posted by Cory Warren, editor