Tax season has begun, and with it comes renewed opportunity for cybercriminals to steal W-2 information in order to file fraudulent tax returns or sell employee data on the dark web. The past two weeks have seen at least 24 organizations publicly tied to W-2 data breaches — and more breach announcements will likely be made in the coming months.
The simple but effective phishing emails used by malicious actors mirror last year’s wave of successful W-2 thefts. The scammers impersonate an executive and use that authority, along with the timeliness of tax season, to dupe payroll and human resource employees into handing over entire rosters of W-2 information at once.
Numerous organizations have fallen for the ruse so far in 2017, including:
- School districts such as Argyle Independent School District in Texas, Belton Independent School District in Texas, Davidson County Schools in North Carolina, Dracut Public Schools in Massachusetts, Lexington School District Two in South Carolina, Mercedes Independent School District in Texas, Morton School District in Illinois, Odessa School District in Missouri and Tipton County School District in Tennessee.
- Healthcare-related organizations such as Campbell County Health, eHealth, Kuhana Associates, Persante Health Care and Pointe Coupee General Hospital.
- A variety of businesses in other sectors such as online ad management platform Marin Software, furniture company Mitchell Gold + Bob Williams, solar financing company Renovate America, restaurant chain Scotty’s Brewhouse, residential solar company SunRun, translation services company TransPerfect, and UGI Utilities.
In addition to those organizations, Brian Krebs reported that an actor on the dark web is selling stolen W-2 information tied to more than 3,600 individuals. Information purchased by a source revealed data from Kirai Restaurant Group in Fort Lauderdale and an unnamed doctor’s office in Boca Raton. However, both of those organizations told Krebs that they used a third-party payroll management firm called The Payroll Professionals. That company said it is “aware of the potential hacking” but has yet to make a public announcement.
Altogether that means 24 distinct organizations have been tied to W-2 breaches so far this year, plus any additional clients that may be tied to the incident at The Payroll Professionals.
At least seven of the victims so far have been in the education group, and there have been reports of an even larger number of school districts being unsuccessfully targeted with similar phishing emails. This falls in line with trends from last year’s threat intelligence data.
The IRS issued an alert last week warning organizations to be on the lookout for these types of phishing scams, which may include requests in the email body such as:
- Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
- Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
- I want you to send me the list of W-2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.
The scam relies on tricking employees into emailing sensitive information. The best way to combat these types of threats is to ensure that employees are aware of ongoing phishing campaigns and that those employees are properly trained on the best ways to defend against social engineering.
Organizations should use a combination of user-awareness/education and anti-phishing tools to keep employees continually informed of evolving phishing campaigns and to have some mitigation and policy enforcement in place. By creating a culture where employees are encouraged to question unusual requests and confirm those requests via a secondary communications channel, organizations can greatly reduce the risk of employees falling for these types of scams.