Phishers successfully tricking payroll pros into sharing employee data

In February, the US Internal Revenue Service (IRS) issued a warning about a 400 percent surge in tax related phishing and malware incidents. The alert said that the most noticeable increase was that of emails and messages impersonating the IRS or other persons and entities in the tax industry.

Then, on the first day of March came another warning, meant specifically for payroll and human resources professionals. The phishers have hit a gold mine: by impersonating company executives, they are repeatedly managing to trick the aforementioned pros into sending them employees’ W-2 forms.

BEC phishing

“Because a W-2 form provides the employee’s name, Social Security number, address, and earnings information for the year with how much had been deducted for taxes, etc. – as well as the employer’s name and address – it provides everything criminals need to engage in tax refund fraud,” Dissent, the privacy advocate running the Office of Inadequate Security blog, explains.

“It used to be that in February and March, we’d see a number of reports of breaches involving employees’ W-2 tax statements that were due to printing or mailing errors. This year, we’re seeing reports of W-2 data theft via phishing.”

The blogger has been flagging reports of various companies being successfully targeted with this type of attack: Actifio, AmeriPride, Evening Post Industries, GCI, Main Line Health, and the latest, Seagate. Snapchat was hit earlier this month. And there are likely many more.

BEC phishing

The attack is effectively a variant of the Business Email Compromise (BEC) scam. But instead of going directly after the money, the attackers are after information that can be used for stealing money.

The IRS warns that the scam has already claimed several victims, “as payroll and human resources offices mistakenly email payroll data including Forms W-2 that contain Social Security numbers and other personally identifiable information to cybercriminals posing as company executives.”

The fake emails almost always seem to be coming from the firm’s CEO, asking the payroll or HR employee to send the employees’ W-2 forms, in PDF form, “for review”.

“If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees,” IRS Commissioner John Koskinen advised.

This year the last day for filing taxes falls on Monday, April 18. Until then, we can expect a continuing, steady stream of these emails hitting all types of companies. It remains on them to educate their staff so they don’t fall for it.

Don't miss