This is a good time of year to remind your employees that they need to take special precautions to protect against the spreading depredations of W-2 phishing scams.
In a separate development, the Internal Revenue Service (IRS) recently issued a warning for those accounting professionals responsible for making tax filings concerning a different phishing scam where the criminals impersonate the IRS and attempt to steal Electronic Filing Identification Numbers (EFINs).
When it comes to the W-2 phishing scams, hackers obtain employee W-2 Forms for the purpose of filing fraudulent tax returns to obtain large refunds. These phishing e-mails typically show up around the time after firms have distributed W-2 forms to their employees. This year, employers are seen as being more vulnerable than before because of the enormous increase in e-mail communications by employees necessitated by working from home.
This particular kind of cyber-scam is considered a form of “spear-phishing” and also is known as business e-mail compromise (BEC) attacks, and CEO spoofing. Spear-phishing attacks are designed to target a specific victim by using personal or organizational information to earn the victim’s trust.
The cyber-criminal uses information like personal and work e-mail addresses, job titles and responsibilities, names of friends and colleagues, personal interests and more to lure victims into providing sensitive or confidential information. Quite often, the scammer culls this information from social media, LinkedIn and corporate websites. The method used has been found to be both convincing and highly successful in gaining victims’ trust.
“Often employers do not know the scam has occurred until it is too late,” note attorneys Mary Costigan and Joseph J. Lazzarotti of the Jackson Lewis law firm. “The consequences from a successful W-2 phishing scam can extend well beyond leaked data, and may include potential employee class action litigation. A W-2 e-mail phishing scam can have a devastating impact on a business and its employees.”
Most of the other kinds of phishing scams are relatively unsophisticated by comparison. They largely rely on unwary individuals falling for spam e-mail offers and requests for information distributed in the hundreds of thousands, if not millions. The perpetrators are counting these large numbers of e-mails to generate a small number of responses that can lead to exploitation of the victims’ lack of wariness.
A Sophisticated Scam
On the other hand, in order to pull off a W-2 spear-phishing scam, the scammers develop what is a product of patient and time-consuming research into your company’s people and processes, delving into your organization chart and exercising greater care when it comes to spelling, grammar and the use of logos and typefaces. When the e-mails are sent to targeted individuals they are much more difficult to spot than are other kinds of phishing e-mails.
The way the scam works: An e-mail message is received by one of your employees who is working in the human resources or accounting department. It appears to have originated from a top executive or some other higher-up. Both the “To” and the “From” e-mail addresses appearing on the message are in fact legitimate internal addresses, as are the sender and recipient names.
The fake e-mail asks the employee to forward some of the company’s W-2 Forms, or other related tax data, to the sender. Because of the careful research that has been done by the scammers, this request aligns with the real job responsibilities of both the employee and the supposed internal sender named as the sender.
The employee relies on the accuracy of the sender’s e-mail address, coupled with the sender’s job title and role, and forwards the confidential W-2 information. Once the reply is sent, the information goes to a hidden e-mail address controlled by the cyber-criminal.
“If successful, the cyber-criminal obtains a trove of sensitive employee data that can include names, addresses, salary information, social security numbers, and well as employer information needed for tax filings,” Costigan and Lazzarotti explain.
The information is then used by the criminals to file fake individual tax returns with the IRS which generate fraudulent tax refunds, or it is sold on the Dark Web to identity thieves to be used for other deviant purposes.
The attorneys remind employers that while an organization can use firewalls, Web filters, malware scans or other security software in an attempt to hinder spear-phishing, experts agree the best defense is employee awareness. This includes ongoing security awareness training for all levels of employees, simulated phishing exercises, internal procedures for verifying transfers of sensitive information, and reduced posting of personal information online.
In the event a business falls victim to a W-2 phishing scam, the attorneys stress that it will need to respond quickly. They say this may require taking immediate steps to investigate the nature and scope of the attack, and ensure the attackers are no longer in the business’s systems.
It also is important to determine whether the business must notify individuals and state agencies of the data loss under applicable state law, and extend ID theft and credit monitoring services to the affected employees. Also required is notifying the IRS of a W-2 data loss at [email protected], reporting the phishing e-mail to the IRS at [email protected] and the Internet Crime Complaint Center of the FBI, as well as to the appropriate state taxing authorities.
In the wake of such an attack, it also is vital for the employer to reach out and help their employees with any questions they may have about rectifying their tax returns, Costigan and Lazzarotti say.
Tax Preparers Beware
In another development, the IRS, state tax agencies and the tax industry issued a warning on Feb. 10 to those who prepare and submit tax information to the agency describing how cyber-criminals have come up with a new scam in which they attempt to steal EFINs.
“Phishing scams are the most common tool used by identity thieves to trick tax professionals into disclosing sensitive information, and we often see increased activity during filing season,” said IRS Commissioner Chuck Rettig. “Tax professionals must remain vigilant. The scammers are very active and very creative.”
The latest scam email says it is from “IRS Tax E-Filing” and carries the subject line “Verifying your EFIN before e-filing.” IRS warns tax pros not to take any of the steps outlined in the email, especially responding to the email.
IRS reports that the body of the bogus e-mail states:
In order to help protect both you and your clients from unauthorized/fraudulent activities, the IRS requires that you verify all authorized e-file originators prior to transmitting returns through our system. That means we need your EFIN (e-file identification number) verification and Driver's license before you e-file.
Please have a current PDF copy or image of your EFIN acceptance letter (5880C Letter dated within the last 12 months) or a copy of your IRS EFIN Application Summary, found at your e-Services account at IRS.gov, and Front and Back of Driver's License emailed in order to complete the verification process. Email: (fake email address)
If your EFIN is not verified by our system, your ability to e-file will be disabled until you provide documentation showing your credentials are in good standing to e-file with the IRS.
© 2021 EFILE. All rights reserved. Trademarks
2800 E. Commerce Center Place, Tucson, AZ 85706
The federal agency advises tax professionals who received the scam to save the email as a file and then send it as an attachment to [email protected]. They also should take steps to notify the Treasury Inspector General for Tax Administration (TIGTA) at www.tigta.gov to report the IRS impersonation scam. Both TIGTA and the IRS Criminal Investigation division are aware of the scam.
Tax professionals also should be aware of other common phishing scams that seek to obtain EFINs, Preparer Tax Identification Numbers (PTINs) or e-Services usernames and passwords.
In addition, some thieves pose as potential clients, which is an especially effective scam currently because there are so many remote transactions taking place during the pandemic, IRS points out. The thief may interact repeatedly with a tax professional and then send an e-mail with an attachment that the sender claims is their tax information.
To make matters worse, in some cases the attachment may contain malware that allows the thief to track keystrokes and eventually steal all passwords or take over control of the organization’s computer systems. For additional information and help, tax professionals should review Publication 4557, Safeguarding Taxpayer Data PDF and Identity Theft Information for Tax Professionals.