Further Warnings Issued Regarding Tax Season Phishing Scams

The IRS has issued further warnings to payroll and human resources professionals to beware of tax season phishing scams requesting details of company employees.

Despite tax season phishing scams receiving a high profile last year, the IRS has seen a 400 percent surge in phishing and malware incidents so far this tax season – many of the scams targeting payroll and human resources professionals to obtain employee data.

The IRS Criminal Investigation department is reviewing multiple cases in which scammers have tricked people into revealing sensitive data that the criminals can monetize by filing fraudulent tax returns for refunds. The emails appear to come from a high ranking executive and request a list of employees including their Social Security numbers. The IRS released details of three typical tax season phishing scams:

  • Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
  • I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

Scammers Targeting Entities outside the Corporate World

The tax season phishing scams are not exclusively targeted towards corporate organizations with large payrolls. In one case being investigated by the IRS, the payroll of the Virginia Wesleyan College was disclosed to an unauthorized third party by a college employee who believed the phishing email was a legitimate internal request. On discovery of the disclosure, college officials immediately notified the FBI, IRS, state taxing authorities, and affected employees.

Within a month – although not promoted by the Virginia Wesleyan College incident – Governor Terry McAuliffe approved amendments to the state’s data breach notification statute. The amendments require employers and payroll service providers to notify the state’s Office of the Attorney General after the discovery of a breach of computerized employee payroll data that compromises the confidentiality of such data. Notification is required even if the breach does not otherwise trigger the statute’s requirement that the employer or payroll service provider notify residents of the breach.

IRS Warns of New Development in W-2 Phishing Scam

The IRS is warning employers to be aware of a new development in a W-2 phishing scam that combines employee data theft with bogus wire transfers.

The W-2 phishing scam – in which fake emails request details of all employees and their Forms W-2 – first appeared during last year´s tax season. Its objective is to collect data that will assist criminals in committing identity theft and filing fake tax returns.

Due to a greater awareness of the W-2 phishing scam within the corporate world – and more safeguards being introduced to identify phishing emails – the IRS reports that many attempts to scam large-scale employers have been unsuccessful. However, criminals are now targeting other sectors such as school districts, tribal organizations and nonprofits.

The new development the IRS wants employers to share with HR and Finance professionals is that cybercriminals are following up their W-2 phishing scam with a further email requesting a wire transfer to a certain account. Some companies have lost thousands of dollars in addition to disclosing their employees´ tax details as a result of this scam.

How to Report a W-2 Phishing Scam

In order to protect themselves against data theft and financial loss, the IRS is urging all employers to create an internal policy on the distribution of employee W-2 information and conducting wire transfers. Employers are also being asked to forward emails identified as W-2-related scams to phishing@irs.gov with “W2 Scam” as the subject of the forwarded email.

In the event that a W-2 phishing scam is successful, the IRS wants employers to report the theft immediately to the Internet Crime Complaint Center, while employees whose identity may have been stolen (usually apparent when a tax return is rejected because of a duplicated Social Security number) should review the actions recommended by the Federal Trade Commission at www.identitytheft.gov.

IRS Commissioner John Koskinen described the W-2 phishing scam as one of the most dangerous scams he had seen in a long time. He said: “It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme.”

FBI Warns of Further Increase in Organized BEC Scams

The increased sophistication of whaling emails has prompted the FBI to issue a warning to high-level executives about the threat from organized BEC scams.

The FBI has warned high-level executives to be on their guard against acting on emails that appear authenticate and request business-critical data or a transfer of funds to a third-party. The warning comes after the bureau identified a 1,300% rise in losses incurred by victims of business email compromise (BEC) scams.

The alarming rise in losses is being attributed to the increased sophistication of whaling emails – emails sent to high-level executives that request a specific action. The emails appear to be from an authentic source – or they originate from a compromised email account within a company – and usually contain information relative to the recipient.

Due to the effort required to create the impression of authenticity, and the data that has to be collected in order for the content of the email to appear convincing, the FBI believes that the majority of business email compromise scams are originating from organized criminal enterprises – many of whom operate in the same way as professional organizations.

During one investigation, Steve Meckl – a former technical operations unit chief in the cyber division of the FBI – found one unit following a Monday-to-Friday work week and even taking time off for Christmas. The organized nature of some criminal enterprises has now been given its own name by some security industry professionals – “the corporatization of cybercrime”.

The Work that Goes Into Whaling Emails

The whaling emails used to perpetrate BEC scams are not hit-and-miss affairs. Often they involve months of studying how a company operates after infiltrating its network via malware. The cybercriminals will study the company´s structure, its billing systems and the style of email communication between high-level executives.

Once a target is selected, further research is conducted across “open source intelligence” to collect as much information about the target as possible. The FBI has warned that social media sites such as Facebook, LinkedIn and Twitter provide key details about an individual and their lifestyle, and often provide key information cybercriminals can use to execute their scams.

Even when the profile of the target and the company he or she works for is complete, cybercriminals will choose the time to send the whaling email carefully. Often this will occur when the supposed sender of the email cannot be contacted by phone to confirm the instructions within the email, for example when a CEO or CFO is traveling or on vacation.

Sometimes bogus accounts are set up to receive funds that have just one or two digits different from the account funds are usually sent to. Typically mechanisms are already in place to take the money out of the bogus accounts as quickly as possible – making it impossible to reverse a payment and recover the funds once the scam is discovered.

CEOs and CFOs Particularly High-Value Targets

Due to being best placed to make, or order, high-value financial transactions, CEOs and CFOs are particularly high-value targets. Research conducted by the cybersecurity company Mimecast in 2015 found that 72 percent of whaling emails were either targeted at CEOs or CFOs, or sent to high-level executives appearing to have originated from a CEO or CFO.

The difficulty in detecting that these emails are BEC scams, according to Mimecast´s cybersecurity strategist Orlando Scott-Cowley, is that they do not contain hyperlinks or malicious attachments – typical red flags to most high-level executives with cybersecurity awareness. Scott-Cowley agrees with the FBI´s assessment that the volume of organized BEC scams is going to increase.

“Cyber attackers have gained sophistication, capability and bravado over the recent years, resulting in some complex and well executed attacks,” he said. “As whaling becomes more successful for cybercriminals, we are likely to see a continued increase in their popularity, as hackers identify these attacks as an effective cash cow”.

Other security experts also believe an increase in organized BEC scams is inevitable. The computer security researcher and author Markus Jakobsson believes the success of organized BEC scams will accelerate the “corporatization of cybercrime”, resulting in more and more sophisticated attacks with potentially devastating results.

Precautions to Take to Avoid Organized BEC Scams

In the latest warning about BEC scams, Harold Shaw – the special agent in charge of the FBI´s Boston division – said “As devastating as this crime is, it is equally easy to thwart. We must all develop the habit of verifying the authenticity of emailed requests to send money. The best way to do this is through in-person conversations or using a known telephone number.”

Shaw also suggested several best practices companies could adopt to avoid becoming the victim of future organized BEC scams:

  • Verify changes in vendor payment details by adding two-factor authentication for online financial transactions.
  • Use phone verification as part of the two-factor authentication, and use previously known phone numbers, not the phone numbers included in the email request.
  • Create an email rule to flag communications in which the “reply to” address is different from the “from” address displayed.
  • Create another email rule to flag emails with similar addresses to company emails. For example, to flag an email with the extension @abc_company.com when the company email extension is @abc-company.com.
  • Color code emails so that emails from internal accounts are one color, and emails from external accounts are another.