W2 phishing

Phishing is a nasty business that runs 24/7/365. During tax season, a special type of phishing attack tries to access a company’s W2 files for all current and/or past employees.

The real danger here is that the attacker has done their homework ahead of time so as to create a believable message that carries a fair amount of weight and seems like a reasonable request from an authoritative source.

With a bit of research, an attacker can find out:

  • The name, job title, contact information and possibly some personal data on their chosen victim, usually a member of the accounting department
  • The name, job title and contact information of at least one member of upper management in the target company
  • The size of the company (how many employees)

Using just that little bit of information, an attacker can create an email account with any free email provider, making the display name identical to one of the company’s officers. They can even register a domain name similar to the company’s domain, but off by a single character. This works especially well if they substitute a number zero in place of a letter “o”, a capital ‘I’ for a lower-case ‘l’, or replace the letter “m” with the letters “rn”, for example:

  • Important Person <vip@cornparitech.com>
  • Very Important Person <vip@exampIe.com>

They then craft their email requesting just about any information from their chosen target and expect an immediate reply. As the email is addressed directly to their chosen victim and appears to come from either that person’s boss or someone even higher in the company, they can also expect a much higher success rate than a normal phishing attack.

The goal is to access the personnel files, especially tax documents: IRS form W2 for all current and past employees. Not only will the attacker gain access to every employee’s personally identifiable information (PII), like full legal name, physical address and social security number, but they also get the company’s EIN, legal entity name, and address.

They can even expand the request to include all of the W9s for any contractors that have been employed by the company, past or present. While most professional entities will provide an EIN on the W9 that they submit, a lot of independent contractors are doing business as themselves instead of an incorporated company and still provide their social security number instead of an EIN.

The scary part is that these types of attacks are usually far more successful than normal phishing attacks. The amount of research needed isn’t all that great, and, according to the Bloomberg Payroll Blog, the success rate can be as high as 23 percent for a well-researched attack. Most of the information that a scammer would need is publicly available through the company’s website or its social media presence.

Beware of this very convincing IRS tax return scam
Common phishing scams and how to recognise and avoid them

How do I spot a W2 phishing email?

Because of the research that goes into this type of attack, spotting a W2 phishing attempt gets much more difficult.

  • The attacker will try to impersonate someone that has the authority to make the request
  • The person being impersonated is usually someone that the target wouldn’t think of questioning
  • The target has been selected by the attacker because they have access to the employee files as part of their normal work
  • The specially crafted email is addressed directly to the target rather than a generic email address, like “accounting@targetcompany.com”
  • The request itself appears to be as innocuous as a request for the day’s outgoing expenses

All of this makes phishing very difficult to spot, especially for someone who does not view such a request as remotely suspicious. The main defense here is going to be education. The main people that need this education are the potential targets of this type of attack: accounting and payroll employees. But let us not forget the other people involved in this type of scam, the corporate officers that might be impersonated.

Accounting and payroll personnel need to be made aware of how easy it is for an imposter to “spoof” pretty much any email address, even that of the company’s CEO. The corporate officers need to be aware of the fact that virtually anyone can impersonate them via email. While these officers will most likely not see these emails themselves, they are still involved in the process simply because they are corporate officers.

Examples of W2 Phishing emails

The emails are usually very short and to the point. They are constructed, after all, to look like they are coming directly from someone in upper management, someone who doesn’t waste time with small talk or explanations.

    • Kindly send me the individual 2017 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review
    • Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary)
    • I want you to send me the list of W-2 copy of employees wage and tax statement for 2017. I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap

How do I avoid getting phished?

The trick here isn’t in spotting the scam, but rather in having systems in place that prevent this type of breach to begin with. Luckily, this can be a lot easier than one might think. First, put appropriate policies in place. Things like:

  • Any documents that contain “personally identifiable information” is to be classified as “sensitive” or “secure” information
  • Only a small group of people will have access to this classification of information, no exceptions
  • The storage medium of this information needs to be encrypted, kept in a physically secure location and zealously guarded by the corporate IT team
  • Access logs need to be kept on any and all sensitive data

The storage of this data doesn’t need any special configuration or customized encryption system, because the common vector is through those who normally have access, rather than a direct attack on the file storage system itself. When it comes to W2 phishing, the scammer doesn’t make any attempt to “break in” to get access to the employee files. They simply ask someone who already has access to send the files to them via email.

Next, a few new procedures need to be implemented for gaining access to secured data. A few suggestions include:

  • New access rights need to be approved, in writing, by the CFO, VP of Accounting or the Accounting department head
  • Actual access can only be granted by the IT Administrator or Manager of IT
  • Mandatory security training needs to be attended before access will be granted to any sensitive data
  • Ongoing security training is to be given to all employees with similar access, regardless of their position in the company
  • Simplest of all is the suggestion of introducing a second factor of authentication for any such request where the employee that receives the request follows up with the requester either over the phone or in person to verify the details

The main warning in this is that scammers are getting more and more clever with their tactics. They are skilled in social engineering and researching their chosen targets. The tricks and tactics employed by these people are ever-evolving. When one trick stops working, they develop another and will continue to do so.

The success rate of these types of attacks is so high, that the FBI has issued a security advisory warning against a spike in W2 Phishing attacks. In March of 2017, Jonathan Crowe announced that W2 Phishing attacks had already been used successfully against over 100 companies with 120,000 employees compromised.

This is why ongoing security training needs to be included in any set of procedures for combating this threat to your data security. Can you think of any other tools for keeping your data safe? Have you seen a program or application that helps protect data that isn’t mentioned here? Tell us about it in the comments.

Also see: Best Identity theft protection services

Image source: Colin on Wikimedia Commons licensed under CC BY SA 4.0