For the majority of small businesses the end of tax season brings a sigh of relief. But don’t let your guards down just yet. A new threat surrounding W-2 fraud has been detected, increasing the concerns over tax-related scams at this time.
The W-2 Phishing Scam Threat
W-2 forms contain all the information that identity thieves are looking for: full names, addresses, identification numbers and more. Cyber criminals understand this, so they create elaborate plans to get their hands on them.
Luckily, Barracuda, the cyber risk experts exposed  the threat recently in a post on the company’s official blog.
The scam requires criminals to know who in your company has access to W-2’s — normally someone in the HR department — and who in your company has the authority to ask for them. Once they identify who these people are, they can begin their scam.
Cyber criminals start by impersonating the manager, senior level executive, or whoever in your company would need access to the W-2. Let’s say this person is John Smith, General Manager. The criminals start by creating a fake email account very closely matching the real one.
Typo-squatted emails are fake accounts that are created by changing one digit and they often go unnoticed. Let’s say John’s real email address was “firstname.lastname@example.org.” The scammers will create emails with a Typo-squatted Domain, for example: “email@example.com” or maybe “firstname.lastname@example.org.”
In the busy environment of the office when you’re receiving multiple emails daily, it can be easy to miss the fact that ‘small’ is missing one L and ‘business’ is missing one S in the domain name. The majority of people don’t closely read the address of incoming emails — especially when they are familiar.
Cyber criminals will use their fake account to suddenly send the HR department or person handling W-2’s an email urgently requesting a copy of someone’s W-2.
This particular scam focuses on creating a sense of authority through the fake email account and a sense of urgency in the sudden request for the documents. Since the email seems to be coming from a person of power and this person seems to be asking for the information out of urgent need — the victim is likely to comply.
The most common types of subject lines in this email scam are:
- John’s (or another employee’s) W2
- 2016 W-2’s
- Request for Employee W2 2016
The body of the email will express that the document is needed “by end of day” or “ASAP.” Once cybercriminals have the W-2 form, they can easily sell the personal information it contains. The information is then used to steal identities and create new ones.
W-2 Phishing Scam Techniques
Companies may be aware of scams related to tax documents but they are more on guard before or during the tax season. Once the season is over, their awareness becomes more relaxed.
The following graphic highlights how this W-2 phishing scam uses three techniques:
- Social Engineering
- Black Market Sales
How to Protect Your Business from This W-2 Phishing Scam
If the W-2’s you are responsible for are stolen, the consequences can be very costly for your small business. Failing to protect the confidential information of your employees can result in lawsuits, a loss of confidence and ruined relationships.
The most important step in protecting your business is creating awareness, especially in sensitive departments like human resources, finance and legal. Simply informing your employees of these types of scams will go a long way towards preventing them.
No matter how elaborate criminals become, this type of phishing scam always depends on somebody clicking on their link and voluntarily sending them the information.
Taking it a step further, your company can create an extra layer of security with outbound filters. This will prevent sensitive documents from leaving your domain or being sent to unknown email addresses.