On Thursday February 2 the IRS put out a press release warning schools, hospitals, restaurants, tribal groups and "others" to be on the lookout for sophisticated W-2 phishing scam that has netted crooks millions of dollars and cost employees, in some instances, their jobs. This diverse list of potential targets and "others" is of note because the W-2 phishing scam is growing in reach and effectiveness, hoovering up a larger and more diverse group of victims. Discovered in 2016, the W-2 scam is particularly dangerous because it is a blended attack that targets employees with authority to do two things: release employees’ W-2 tax information in bulk and/or conduct wire transfers on behalf of their employers. Wire transfer scams are called business email compromise (BEC) scams and are carried out using similar means to the W-2 hacks.
“This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns,’’ said IRS Commissioner John Koskinen, in a statement. Blended attacks are more-sophisticated versions of a spam phishing attack. Spam attacks cast wide nets to reel in random victims. Blended attacks bring together elements of malware, whaling, social engineering, and spear phishing, i.e., the targeting of individuals or groups based on certain criteria like belonging to a particular organization or company, the department they work in, their titles, zip code, or some other personally identifiable information or affiliation.
According to the FBI, "The BEC scam continues to grow, evolve, and target businesses of all sizes. Since January 2015, there has been a 1,300% increase in identified exposed losses. The scam has been reported by victims in all 50 states and in 100 countries. Reports indicate that fraudulent transfers have been sent to 79 countries with the majority going to Asian banks located within China and Hong Kong. "Net losses from all BEC scams to date are estimated to well north of $3B. "Perhaps because they are already impersonating the boss, the W-2 phishers feel like they’re leaving money on the table if they don’t also try to loot the victim organization’s treasury …," writes Brian Krebs on his KrebsonSecurity blog, referring to the wire-transfer aspect of the attacks. "At one point last year I was hearing from almost one new W-2 phishing victim each day. Some of the more prominent companies victimized by W-2 scams last year included Seagate Technology, Moneytree, Sprouts Farmer’s Market, and EWTN Global Catholic Network."
Whaling of particular concern
Organizations should be particularly concerned with the whaling aspect of the attack. Whaling targets an organization's leaders. Attackers will often stalk the executive's physical movements through social media and company press releases, use malware known as an advanced persistent threat (APTs) to learn communication patterns and steal their credentials. When the time is right – say when the executive is on a business trip and is not easily reached – they will launch an attack. These attacks rely on social engineering to create a sense of urgency on the part of victims. This often involves sending an "urgent request" of some kind that requires immediate action on the part of the targeted employee. In the case of the W-2 scam, this is usually a list of employee's W-2 information that includes SSNs.
According to the IRS, a typical message will look like one of these emails:
- "Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review."
- "Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary)."
- "I want you to send me the list of W-2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap."
How to avoid becoming a victim
It's never easy to keep cyber criminals at bay. They only need to be successful once. You, on the other hand, have to succeed 100 percent of the time. These odds definitely favor the opposing team. But, not all is lost. There are common sense steps all organizations can take to stay safe. While a complete list is beyond the scope of this article, the FBI suggests the following:
- Hold international wire transfers for an additional period of time, to verify the legitimacy of the request.
- Avoid using web-based e-mail accounts.
- Be careful of what you post to social media and company websites about job duties/descriptions, organizational information, and travel of executives
- Be suspicious of requests for secrecy or pressure to take action quickly.
- Consider additional IT and financial security procedures, including the implementation of a two-step verification process such as telephone calls, to verify significant transactions.
- Arrange this second-factor authentication early in the relationship and outside the e-mail environment to avoid interception by a hacker.
- Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient’s correct e-mail address is used.
- Beware of sudden changes of standard business practices.
The examples above were pulled from a more complete list that can be found in this FBI public service announcement, and more information is available in a United States Department of Justice website www.justice.gov publication entitled Best Practices for Victim Response and Reporting of Cyber Incidents.
If you are a victim, the FBI says to immediately:
- Contact your bank to make them aware of the situation and ask them to contact the bank where the transfer went
- Contact your local FBI office
- File a complaint, regardless of dollar loss, at IC3.gov.
While the social engineering aspect of the W-2 phishing scam is new, the methods and means of its execution are not. Because the attack vectors are known, they can be countered through an effective mix of people, process, and technology, in that order.