Even a cybersecurity firm can fall for a W-2 phishing scam

US Tax Day (April 18) is quickly approaching, and scammers are hard at work to get what they can before the set tax season deadline.

W-2 phishing scam

The US IRS is warning about last-minute email scams, aimed at collecting sensitive data (passwords, Social Security numbers, bank account or credit card numbers) and funnelling refunds to direct deposit accounts controlled by the scammers.

Despite the fact that warnings about W-2 phishing scams have been issued regularly since the beginning of the year, and last year’s many high-profile examples of companies falling for this scam, the New York State Department of Taxation and Finance has recently shared that at least 65 companies in the state have been successfully targeted by scammers posing as company executives, asking payroll and HR professionals to send them lists of employees and their personal information. All in all, information of 7,100 taxpayers has been stolen in this manner.

As a testament of how easy it is for unprepared employees to fall for this trick comes the news that even a cybersecurity firm can be victimized: Defense Point Security sent out an email to affected employees (current and former) on Thursday, notifying them that their name, Social Security Number, address, compensation, tax withholding amounts were unfortunately sent to the scammers.

“Fraudsters who perpetrate tax refund fraud prize W-2 information because it contains virtually all of the data one would need to fraudulently file someone’s taxes and request a large refund in their name,” Brian Krebs noted. “Scammers in tax years past also have massively phished online payroll management account credentials used by corporate HR professionals. This year, they are going after people who run tax preparation firms, and W-2’s are now being openly sold in underground cybercrime stores.”

Finally, malicious tax-themed emails are not always aimed at collecting users’ information via phishing pages.

Popular tax-themed schemes

Microsoft has published today a great overview of the most often encountered tax-themed schemes, and among them are those aimed at infecting the target’s machine with malware.

But all of these schemes have one thing in common: they usually start with emails. Users are baited with claims that they are eligible for a considerable tax refund, fake notifications that their tax refund has been paid into their account, claims that they owe some overdue tax, or fake subpoenas from the taxman. Lately, as Krebs noted, accountants and tax preparation firms are targeted with fake “tax preparation assistance needed” email requests.

“Tax-themed malware and phishing attacks highlight an important truth: most cybercrime is after your hard-earned money,” Microsoft noted.

“But these attacks rely on social engineering tactics — you can detect them if you know what to look for. Be aware, be savvy, and be cautious in opening suspicious emails. Even if the emails came from someone you know, be wary about opening the attachment or click on links. Some malicious emails may be spoofing the sender.”