With tax season in full swing, the Internal Revenue Service (IRS), state tax agencies, and tax industry groups recently renewed a warning about Form W-2 email spear-phishing scams. The full press release is available here.
In this type of spear-phishing scam, cybercriminals create fake email addresses that closely mirror the email addresses of senior executives or those responsible for human resources and payroll. For example, the email address could be the same as the actual address except for one letter that has been changed or a hyphen that has been added. Using this "spoofed" address, the cybercriminal then emails a company employee asking for a copy of employee Form W-2s. Successfully phished W-2 information then will be used (by the initial fraudster or other cybercriminals who obtain the data) to file fraudulent income tax returns in the employees' names and to direct refunds to accounts controlled by the cybercriminals.
This form of "business email compromise" is extremely popular among cybercriminals—and successful. Overall, business email compromises increased by over 1,300 percent in 2016, and have resulted in over $3.1 billion in losses in recent years. In 2016, the IRS saw an increase of over 400 percent in the number of fraudulent tax returns tied to these types of business email compromises alone.
Just one month into 2017, multiple companies have been compromised by these schemes, and many more are being targeted. Notably, cyber-fraudsters have targeted companies of a wide variety of sizes, industries, and geographical locations.
The financial impact on the victim companies can be substantial.
First, almost every state has a statute that requires the victim company to notify its current and former employees if their social security numbers and other sensitive personal information have been stolen. Second, to mitigate the impact on their current and former employees, most companies offer identity theft protection and/or credit monitoring services free of charge. Finally, last year, a number of victim companies were the target of class action lawsuits purportedly brought on behalf of their current and former employees. In the lawsuits, the named plaintiffs alleged that the companies were negligent for not having the proper policies and procedures in place to stop the improper dissemination of the Form W-2s.
The victim companies suffer not only a financial impact, but also the loss of goodwill from their employees. For example, employees with false tax returns filed in their names will be forced to go through a lengthy process to rectify the issue with the IRS, and may be more susceptible to other forms of identity theft.
Companies can take a number of steps to reduce the likelihood of victimization by such business email compromises, including:
Adopting policies and procedures that prohibit or severely restrict the transmission of employee W-2 data by email;
Using technical controls focused on anti-phishing, data loss prevention, and digital rights management of files containing W-2 information;
Ensuring that any W-2 information that must be emailed is encrypted and that the decryption key is not included in or transmitted by email;
Requiring multi-factor authentication for any email request for W-2 or other sensitive data—such as telephone or face-to-face confirmation of the email request or provision of a verbal verification code known only to the parties before the data is transmitted or the decryption key provided; and
Providing relevant and periodic training of employees to spot such schemes and adhere to company policies and procedures regarding sensitive data.
More information about these and other business email compromises is available on the website of the FBI's Internet Crime Complaint Center. The IRS's "Taxes. Security. Together." webpage also includes tips for avoiding internet-facilitated tax fraud.
If your company is victimized by this type of spear-phishing scam, you should contact outside legal counsel as quickly as possible to initiate a privileged investigation and mitigation strategy, start the notification process, and work with law enforcement agencies, if necessary.