Scammers target firms with W-2 phishing/CEO fraud blend

“One of the most dangerous email phishing scams we’ve seen in a long time.”

David bisson
David Bisson

W2 form

The United States Internal Revenue Service (IRS) is warning organizations to be on the lookout for scammers that blend CEO fraud with W-2 phishing.

In an alert published on 2 February, the IRS explains that the scam begins with a phishing attempt for W-2 information:

“Cybercriminals use various spoofing techniques to disguise an email to make it appear as if it is from an organization executive. The email is sent to an employee in the payroll or human resources departments, requesting a list of all employees and their Forms W-2. This scam is sometimes referred to as business email compromise (BEC) or business email spoofing (BES).”

Sign up to our free newsletter.
Security news, advice, and tips.

Business email compromise scams are nothing new. This ruse, through which an attacker impersonates an executive by phishing for their business email account credentials, has been around for years. In fact, the FBI has been tracking BEC ploys since October 2013.

As of June 2016, it had documented 22,000 cases of victimized organizations.

By contrast, W-2 phishing has only been around since 2016.

In that span of time, organizations like Seagate and Snapchat have unintentionally provided scammers with their employees’ W-2 information.

Which begs the question: what’s in it for scammers?

W-2 information is incredibly valuable to a computer criminal because a single W-2 record contains an employee’s name, address, Social Security Number, and other data. Together, this is more than enough information for the fraudster to file a fake tax refund in the employee’s name. Alternatively, they can sell the records on the dark web for as much as $20 a pop, as reported by Brian Krebs.

Ceo What’s interesting in this new wave of scams, however, is that the computer criminal doesn’t just settle for W-2 information.

Abusing the same executive’s business email, they commit CEO fraud by contacting payroll or the comptroller and requesting that they authorize a wire transfer to an account under their control. Companies have lost millions of dollars as a result of this technique.

Separately, W-2 phishing and CEO fraud pose a threat to organizations. IRS Commissioner John Koskinen thinks they’re even worse when these two attacks are combined together. As quoted in the IRS alert:

“This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme.”

Organizations can best protect themselves against W-2 phishing attacks and CEO fraud by training their employees to be on the lookout for business email compromise scams.

That means they need to know not to click on suspicious links or email attachments. At the same time, if your organization ever receives a W-2 phishing email, forward it to [email protected].

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

2 comments on “Scammers target firms with W-2 phishing/CEO fraud blend”

  1. Elliot Alderson

    you shouldn't be emailing this stuff even to a dorkie CEO. anyone that does, should probably be looking into a new profession real quick like.

    1. Let me know when a security update is rolled out to fix our human brains. Until then people – especially busy people who like to help out the bosses at work – will continue to make poor decisions.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.