Skip to main content

FBI Warns of New W-2 Phishing Attack Targeting HR

By Allstate Identity Protection

With tax season well underway, identity thieves are working overtime to steal the personal data of every man, woman, and child. In years past, cybercriminals targeted taxpayers on an individual basis. But the rules of the game are changing.

A disturbing new trend shows identity thieves are instead turning their attention to HR directors. Here’s what you need to know about the Form W-2 phishing scam and what it could mean for your employees.

How the Form W-2 scam works

According to a recent warning from the FBI, an effective new business email compromise (BEC) attack is wreaking havoc on companies large and small. While this type of attack isn’t new, it clearly illustrates how identity thefts are becoming more sophisticated.

Although there can be many variations, the Form W-2 phishing scam works like this:

  • Cybercriminals conduct in-depth research on companies and institutions — identifying persons of authority, like HR administrators, chief intelligence officers, or school/hospital executives

  • Next, the fraudsters send phishing emails to the unsuspecting parties requesting the W-2s of all employees

  • They then use this information to file fake tax refunds on a victim’s behalf, sell the data on the dark web, or do both

Sadly, this isn’t enough for every identity thief. Some prefer to take things even further — requesting the victim make an unauthorized wire transfer from their company’s account.

What explains the rise in popularity?

This particular type of phishing scam is growing at an unprecedented level. Last year, there were more than 900 attacks. The year before, there were a little more than 100. What’s responsible for the big uptick?

Identity thieves are getting the biggest bang for their buck. By targeting corporations instead of just individuals, they can steal massive amounts of personnel data in one swoop. Further, phishing emails that appear to come from a victim’s boss, co-worker, or industry partner are incredibly efficient. In fact, they yield such amazing results, there was a 2,700 percent increase in BECs from January 2015 to December 2016.

Yes, it really happens

Just a few weeks ago, I received an email from our “CEO” asking for copies of InfoArmor’s W-2 forms. Luckily, I know to look out for emails like these and know that our CEO would not request information like this over email. However, many HR managers are busy, and want to cross one more item off their to-do list. Slow down, determine if the email looks legitimate, and when in doubt, call the person who sent it to you to see if it’s genuine.

How to report a W-2 phishing scam

Due to the increased popularity of the Form W-2 phishing scam, the IRS set up a dedicated email address and procedure for potential victims. If you think you may have been a victim, it’s imperative you reach out to the Internal Revenue Service as soon as possible. If you quickly alert the agency to the crime, they may be able to help protect your employees and anyone else the scam may have affected.

To file a report, the IRS recommends you email the following information to dataloss@irs.gov using the subject line “W-2 Data Loss”:

  • Business name

  • Business employer identification number (EIN) associated with the data loss

  • Contact name

  • Contact phone number

  • Summary of how the data loss occurred

  • Volume of employees impacted

Note: Do not attach any employee personally identifiable information data.

Limit the risks of employee data theft

To help reduce the risk of your company falling victim to the Form W-2 scam, the IRS recommends taking the following actions:

  • Limit the number of employees who have access to approve/conduct wire transfers or handle W-2-related requests or tasks

  • Use out-of-band authentication to verify requests for W-2-related information or wire transfer requests that appear to come from executives

  • Maintain a non-electronic form of vendor contact information for those who are authorized to approve changes in payment instructions

  • Delay any wire transfer until you can confirm the authenticity of the request

  • Require dual-approval for any wire transfer request involving one or more of the following:

  • A dollar amount over a specific threshold

  • Trading partners who are not on a “white list” of approved trading partners

  • New trading partners

  • New bank and/or account numbers for current trading partners

  • Wire transfers to countries outside of the normal trading patterns

These tips provide an excellent starting point. However, in today’s digital era, we must do much more to protect our employees from the threats of cybercriminals.

If you’d like to learn how your organization can keep its employees — and bottom line — safe, check out our complimentary ebook, “The HR Guide to Employee Data Protection and Identity Theft Prevention.” Want to learn more about the dangers of phishing and additional steps you can take to prevent such attacks? We’ve got you covered. Our ebook, “Phishing for Dollars: How Identity Theft Is Leaving Businesses and Employees on the Hook,” is loaded with great information your company can use to stop BECs in their track.

Share this content to your social channels

recent posts

woman-jean-jacket-phone

Identity Fraud in Focus quarterly report

8 min

Synthetic identity theft is on the rise

5 min

Identity Fraud in Focus quarterly report

8 min

Let's connect

If you're considering one of our services, want more information, or need assistance, please reach out. We’re here to help.