US state and federal agencies are warning anew about a particularly virulent phishing scam going around this tax season that has lept beyond corporate targets to steal information from smaller firms, and in a new wrinkle this year, dupe firms into wiring money directly to fraudsters.
In at least three separate missives, the latest published just this month as an “urgent alert,” the Internal Revenue Service (IRS) is apprising firms about a resurgence of the insidious W-2 email phishing scam. It notes that the classic tactic has evolved beyond a focus on large corporations, with schemers now targeting schools, tribal organizations and nonprofits.
The IRS stated on its site that it has seen a roughly “400 percent surge in phishing and malware incidents in the 2016 tax season.” Phishing, and its more creative cousins – spear phishing and whale phishing – are at the heart of more than 90 percent of cybersecurity attacks, according to some security researchers. This is chiefly because the tactic focuses on human error, often evading even sophisticated spam filters.
Those sobering figures look to worsen this year as criminals morph their tactics to pilfer information from a wider variety of companies and entities, and attempt to doubly dupe them into wiring funds to scammers under the guise of bogus fees and payments, in some cases victimizing the same company twice.
“This is one of the most dangerous email phishing scams we’ve seen in a long time,” IRS Commissioner John Koskinen said in a statement. “It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns.”
Scam emails are “designed to trick taxpayers into thinking these are official communications from the IRS or others in the tax industry, including tax software companies,” according to the IRS.
These phishing schemes can ask taxpayers “about a wide range of topics. Emails can seek information related to refunds, filing status, confirming personal information, ordering transcripts and verifying PIN information,” just to name a few things to be on guard against.
In the last year, the U.S. Federal Bureau of Investigations (FBI) estimated that there was already a “dramatic” upswing in phishing attacks, or more specifically, “business email compromise” or CEO fraud,” so named as the typology often involves emails that masquerade as messages from a higher-ranking company staffer.
In the alert, the FBI highlighted that since early 2015, the agency has seen a 270 percent increase in victims and losses from such scams. The attacks are not just a domestic disturbance. Investigators around the world have logged complaints from victims in all U.S. states and in nearly 80 countries.
High costs of phishing
The FBI estimated last year that organizations defrauded by CEO fraud attacks lose somewhere between $25,000 and $75,000. But in certain instances, the scams have cost some companies in the millions and tens of millions of dollars.
And with tax time in full swing, and scammers hoping a company’s guard will be down if its sees the letters “IRS,” criminal groups are unleashing an even more innovative fusillade to infiltrate firms.
Here’s how the scam works, according to the IRS:
· Cybercriminals use various spoofing techniques to disguise an email to make it appear as if it is from an organization executive.
· The email is sent to an employee in the payroll or human resources departments, requesting a list of all employees and their Forms W-2.
· If successful, the scammers can come back to the same company and ask the scammed employee to now send a check or wire transfer directly to a bank account controlled by the group.
Expanding universe of victims
The W-2 scam, which first came to light last year, is “circulating earlier in the tax season and to a broader cross-section of organizations, including school districts, tribal casinos, chain restaurants, temporary staffing agencies, healthcare and shipping and freight,” according to the IRS.
The businesses that got hit with scam emails last year are also under attack again this year.
Want to know how to figure out if the email or phone calls is from the IRS? Check out this checklist.
The IRS doesn’t:
- Initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information.
- Threaten taxpayers with lawsuits, imprisonment or other enforcement actions.
- Require an odd, specific way of payment, such as a prepaid card or phone card.
- Ask for credit or debit card numbers on the phone or in an email.
- Demand you pay in an aggressive way, without the possibility of appeal.
But scammers do say things like:
- Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of your company staff for a quick review.
- Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
- I want you to send me the list of W-2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.
New payroll procedures needed?
To counter scammers, The IRS, states and tax industry are urging employers to share information with their payroll, finance and human resources employees about the scam and the newer wire transfer component.
Firms should also consider “creating an internal policy, if one is lacking, on the distribution of employee W-2 information and conducting wire transfers,” to create more checks and balances if an email gets through and an employee is on the verge of an email or transfer of funds to schemers.
What to do if you are caught in a W-2 phishing scam?
Organizations receiving a W-2 scam email should forward it to firstname.lastname@example.org and place “W2 Scam” in the subject line.
Organizations that receive the scams or fall victim to them should file a complaint with the Internet Crime Complaint Center (IC3,) operated by the FBI.
Employees whose Forms W-2 have been stolen should review the recommended actions by the Federal Trade Commission at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft.
Employees should file a Form 14039, Identity Theft Affidavit, if the employee’s own tax return rejects because of a duplicate Social Security number or if instructed to do so by the IRS.
FinCEN weighs in
The issue is also on the mind of the country’s financial intelligence unit, the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN)
In September, FinCEN stated in an advisory that financial institutions needed to more tightly knit together their anti-money laundering, fraud and cybersecurity teams to better thwart the explosion of “cyber-enabled crime” against individuals and businesses, also citing BEC.
The advisory, at the time, amounted to a championing of the virtues of compliance convergence as it was directed explicitly at AML, fraud, risk and cyber teams, something never done so directly before by a U.S. regulator.