IRS Warns: New Email Phishing Combines W-2 Theft, Wire Fraud

February 5th, 2017   •   Comments Off on IRS Warns: New Email Phishing Combines W-2 Theft, Wire Fraud   

The IRS is currently warning of one of the “most dangerous” types of scams, where criminals are successfully tricking businesses and organizations into sending wage data on employees, and then making fraudulent wire transfers.

Some companies have already lost thousands of dollars to this scheme this year, the IRS says. The criminals  not only target businesses, but also school districts, not-for-profit organizations, casinos, restaurants and temporary staffing agencies.

“This is one of the most dangerous email phishing scams we’ve seen in a long time,” says IRS Commissioner John Koskinen. “It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns.”

Last year, the IRS saw for the first time attempts to trick companies into sending out batches of employees’ W-2 forms, the annual wage and salary reports required to file a tax return. The forms contain names, addresses, Social Security numbers and wage data.

To convince unwitting employees to send the information, the criminals modify emails, to make it appear the message comes from someone within the same organization. The emails often target payroll or human resources officers, with the sender purporting to be an executive.

On Jan. 25, the IRS warned it was seeing new attempts for W-2-related fraud this year. But then just over a week later, the IRS said it is seeing that scam combined with fraudulent wire transfers.

Wire Fraud
If the request for the W-2s is successful, the criminals then send another request for a wire transfer.

“Some companies have lost both employees’ W-2s and thousands of dollars due to wire transfers,” the IRS says.

The FBI started tracking this activity in October 2013. Since then, the agency estimates criminals have collectively stolen or attempted to steal $3.1 billion globally.

The FBI’s Boston bureau warned in December of a dramatic increase in the scams. In Massachusetts, Maine, New Hampshire and Rhode Island, $33 million has been stolen, with an average loss of $90,000.

The scam is simple social engineering that takes advantage of weak internal security controls. But the spoofing of email addresses can be difficult to catch. In another variation of the scheme, the criminals will create email addresses using domain names that are one letter different, in hopes no one will catch the mistake.

More advanced fraudsters run phishing schemes to get email credentials to actually log into legitimate accounts. They then do extensive reconnaissance, figuring out an organization’s procedures in order to craft an email request for a wire transfer that won’t look suspicious.

Verify Wire Transfer Requests
The best defense against the attacks is focuses on security policies and processes.

“Employers should consider creating an internal policy, if one is lacking, on the distribution of employee W-2 information and conducting wire transfers,” the IRS advises.

The FBI recommends that any email requests to send money be verified with the person who requests it, either on the phone or in person. That same advice could be safely applied to mass requests for W-2s.

The IRS says it has put in place measures that can identify fraudulent tax returns, if an organization reports the theft of W-2s. The agency also advises that victims file a report with the FBI’s Internet Crime Complaint Center.

Contact Intelisec to prevent data theft in your organization.  If your business or organization has been a victim of this scam, contact us, as well.  We can assist your employees, and prevent further data theft.