It’s tax season in the United States, and many organizations have just prepared their employee’s W-2s. You may have recently received the form in an electronic or paper format and are prepared for the opening day of tax filing on January 29th. Tax season also provides an opportunity for cyber criminals to attack your organization with a social engineering technique commonly referred to as phishing. Criminals are interested in collecting W-2s as the information on the form enables them to file many fraudulent tax returns, claim refunds and in many cases, avoid detection for months until the legitimate tax return is filed.
The last few years have seen the rise of “W-2 scams” (a type of phishing attack) where criminals, posing as the company CEO or a similar executive, email one or more employees in payroll, accounting, or human resources with an urgent request to send all W-2 forms. Typically these requests will be written so they appear to have been sent from one of the organization’s executives and the message will often contain a comment about being unreachable along with an immediate, pressing need for the W-2s. The sense of urgency and appearance of coming from a corporate executive are common psychological tactics used in phishing scams to increase the response rate.
How do the attackers identify the employees to target with their phishing emails? This information is often found on the internet. Corporate websites may be disclosing the roles of those who would be ripe to target while in other cases, the attackers will comb LinkedIn or other public forums to find job tiles, email addresses and other details that are useful in crafting a believable message that spurs the recipient to respond.
If your organization received a W-2 phish or fell victim and responded to the attacker’s request, here are some initial steps to follow.
If you received a W-2 phishing email but did not respond to the attacker
If you received a W-2 phish and fell victim
Here are several key dates related to this year’s tax filings
Need assistance with prevention, training or guidance in responding to this or similar attacks?
Contact VerSprite at 1-888-242-0263 to discuss.
VerSprite's emergency response teams will help your organization identify, contain, eradicate, and respond to security incidents.
We use our expertise to implement a practical strategy for incident response preparation and management, intrusion hunting/compromise assessment, and prevention and remediation recommendations. Learn More →