During last year’s run-up to the US Tax Day, scammers mercilessly targeted companies’ payroll and human resources professionals, tricking them into handing over employees’ W-2 forms.
A W-2 form contains all the information criminals need to perpetrate tax refund fraud: the employee’s name, Social Security Number, address, and that year’s earnings information, as well as the employer’s name and address.
This year, the scammers are at it again, but they’ve also decided to widen their pool of targets. They have been spotted sending out W-2 phishing emails not only to corporate offices, but to school districts, tribal casinos, nonprofits, temporary staffing agencies, healthcare organizations, chain restaurants, and so on.
And, to add insult to injury, they are following up those phishing emails with emails asking the organization’s payroll or comptroller to perform a wire transfer, delivering money directly to an account owned by the scammers.
W-2 phishing and wire fraud: A devastating combination
“Although not tax related, the wire transfer scam is being coupled with the W-2 scam email, and some companies have lost both employees’ W-2s and thousands of dollars due to wire transfers,” the IRS has warned.
Both of these emails are sent either from compromised email accounts belonging to an executive in the organization, or from an email address spoofed to look like it belongs to an executive.
“Employers should consider creating an internal policy, if one is lacking, on the distribution of employee W-2 information and conducting wire transfers,” the IRS advised. Orders for unexpected wire transfers and other banking transactions should definitely be confirmed through at least another communication channel (e.g. by telephone).
“The W-2 scam is just one of several new variations that have appeared in the past year that focus on the large-scale thefts of sensitive tax information from tax preparers, businesses and payroll companies. Individual taxpayers also can be targets of phishing scams, but cybercriminals seem to have evolved their tactics to focus on mass data thefts,” the IRS concluded, and asked organizations to forward any W-2 scam email they might receive to them (to firstname.lastname@example.org, put “W2 Scam” in the subject line).