On March 1, the IRS posted an alert to all HR and Payroll Professionals detailing a new trend in cybercrime and tax fraud, "spoofing" for W-2 forms.[i] Numerous businesses have reported that accounting, human resources, or tax professionals received emails, which appear to be from an executive at the company, requesting copies of the company’s 2015 W-2 forms. Several companies have already reported being compromised by this simple attack, which often targets more junior employees in the accounting or human resources departments, with the sender posing as an executive in need of the W-2 information.
For example, the phishing email may look like the one below, with the sender appearing to be a company executive[ii]:
Given the subject and timing of this activity, the IRS and other cybercrime experts believe that this is the latest attempt to capitalize on the lucrative practice of filing fraudulent tax returns for refunds. Filing fraudulent returns can yield so much cash that, for the 2013 filing season alone, the IRS estimates over 5 million tax returns were filed using stolen identities, claiming a total of $30 billion in fraudulent refunds. While the government was able to stop or recover 81% of the fraudulent claims, that still leaves over $6 billion gained from fraudulent filings.[iii] Last year, approximately 330,000 taxpayer accounts on the official IRS website were claimed by cybercriminals looking to get copies of past filings, making it more difficult for victims of fraudulent filing to get access to their tax information.
What to Look Out For
Spoofing, also known as Business Email Compromise (BEC), is a type of spear phishing attack that targets employees in your organization with access to valuable information by sending a communication that appears to be from a trusted individual, such as a company executive. What makes these attacks so dangerous is their apparent legitimacy. The header of the email may look exactly as one would expect, mirroring the company fonts, duplicating automated signature blocks, and containing the actual email address of the spoofed executive in the “From:” line. Often, the return email address won’t even be visible until after the reply is sent unless the user specifically expands the address field. Some cybercriminals have registered domain names that are only a few characters divergent from the company’s legitimate domain name, such as substituting the number one (1) for the letter "l" or replacing a ".org" with a ".com". Additionally, spoofing attacks may contain personal details gleaned from social media that induce trust in the targeted individual such as referencing a recent vacation or life event.
It is also important to remember that these types of attacks are not just used for tax scams. Spoofing and other BEC attacks are often used to target accounting professionals in order to gain information about your proprietary business information, corporate bank accounts, employee salary direct deposit accounts, wire transfer credentials or even prompting individuals to initiate fraudulent wires. Any information of value to your company or your employees can be, and has been, targeted by cybercriminals.
So, how should you protect your company and employees from a spoofing attack? Awareness of the problem is key. Hardly anyone would be fooled by the “Nigerian Prince” scam today, because it has become synonymous with fraud in popular culture. Unfortunately, cybercriminals have become much more sophisticated in their attacks and few people are accustomed to being skeptical of direct requests from their bosses. As a first line of defense, it is a good idea to train employees who handle sensitive information and ensure that they feel empowered to confirm the legitimacy of any such request, regardless of who appears to have sent it.
Further Information and Resources
To help inform yourself and your employees on the dangers of spoofing, the Department of Justice, the IRS, and the FBI have provided examples of emails confirmed to be fraudulent. Here are some things to watch for:
· Requests which discourage contacting the executive for confirmation.
· Emails containing the following language:
o "Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review."
o "Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary)."
"I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap."
Email communications allegedly from the IRS or other tax companies. The IRS has explained that it does not send unsolicited email, text messages or use social media to discuss personal tax issues. Therefore, if an employee of your organization receives an email or telephone call from someone claiming to be an IRS employee and demanding money, it may be helpful to consult the IRS Tax Scams/Consumer Alerts webpage: http://www.irs.gov/uac/Tax-Scams-Consumer-Alerts.
What to Do If You Are Already a Victim
If you believe that your organization has already been victimized by a W-2 spoofing attack or any other BEC, it is important to respond quickly. You should alert your incident response or risk management team and your primary legal counsel immediately. If you don’t have an incident response team already in place, your legal counsel can help coordinate the necessary response actions. Additional information is available in the Ice Miller Data Breach Response Quick Reference. A swift response can reduce the total damage to your organization and your employees. The IRS has advised that the best way for individuals to protect themselves from fraudulent filing is to file their 2015 taxes as soon as possible. Additionally, affected individuals should promptly claim their account on IRS.gov with a legitimate email account so that they can monitor their tax documents for fraudulent activity.
Ice Miller’s Data Security & Privacy Practice helps clients assess risks. We work with clients to help them implement a strong data security and privacy program. Stephen Reynolds, a former computer programmer and IT Analyst, is a co-chair of Ice Miller’s Data Security and Privacy Practice. Stephen can be reached at firstname.lastname@example.org or (317) 236-2391. Nick Merker, a former systems, network, and security engineer, is also a co-chair of Ice Miller’s Data Security and Privacy Practice and speaks frequently on international data transfers in the United States and abroad. Nick can be reached at email@example.com or (312) 726-2504. Emily Storm-Smith is an attorney in Ice Miller’s Business Services Group. Emily’s top two areas of focus are Corporate Advising and Data Security & Privacy. Emily Storm-Smith can be reached at firstname.lastname@example.org or (317) 236-2224.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how the issues discussed herein apply to the reader’s specific circumstances.
[i] U.S. Internal Revenue Service, IRS Alerts Payroll and HR Professionals to Phishing Scheme Involving W-2s (March 1, 2016) available at https://www.irs.gov/uac/Newsroom/IRS-Alerts-Payroll-and-HR-Professionals-to-Phishing-Scheme-Involving-W2s.
[ii] Symantec.Connect, Business email compromise scammers add tax return fraud to their toolbox (March 3, 2016) available at http://www.symantec.com/connect/blogs/business-email-compromise-scammers-add-tax-return-fraud-their-toolbox.
[iii] U.S. Department of Justice, Stolen Identify Refund Fraud (March 3, 2016) available at https://www.justice.gov/tax/stolen-identity-refund-fraud.