Tax season means it’s time to watch out for W-2 scams
As American individuals and companies head into tax season, the Internal Revenue Service (IRS) is warning organizations of all types to be on the lookout for attempted W-2 phishing attacks as part of a broader pattern of business email compromise attempts. The urgent alert issued by the IRS on February 2 was the second such notice in a span of just eight days and emphasized that the phishing scam centered on employers’ Form W-2 information appears to be affecting many types of organizations beyond the commercial corporate entities typically targeted by this sort of attack. The IRS has for several years included phishing on its “dirty dozen” list of tax scams, although historically the most prevalent scams seem to have been attempts by attackers to send fake emails purportedly from the IRS. Beginning just last year, this class of attacks evolved to include phishing emails directed to company employees working in payroll or human resources that claim to be from the company CEO, asking the recipient to send copies of employee W-2 forms. According to data compiled by industry media sources such as CSO Online, data from more than 40 companies was compromised by these attacks in 2016. This “success” rate, coupled with what the IRS says is new notifications it has received already this year for the tax year 2016 filing season, prompted a renewed alert to corporate payroll and HR departments.
It should come as no surprise to anyone that paperwork or data related to tax returns are attractive targets for attackers, or that phishing scammers have gotten more creative about who the originating party is supposed to be in the emails they send. What is perhaps harder to understand is why so many of these emails make it through to their recipients, whether or not the recipients actually fall for the scam. A phishing email of this type is almost always sent from a source outside the targeted organization, so while it is a trivial matter for a scammer to change the “reply to” value in the email to be a corporate CEO or other official, it is technically much less trivial to hide the true origin (server, IP address, and domain) of the email. It should be simple to apply a rule to to incoming email that essentially says, “reject any email received from an external domain that claims to originate from an address in the internal domain.” Essentially every network firewall implements an analogous rule by default (dropping packets from external sources that have an internal source IP address), but few managed email service providers allow such rules to be defined and enforced. This deficiency leads to a market opportunity for email security gateway vendors like Barracuda, Cisco, Proofpoint, Sophos, and Websense. While many organizations have treated phishing avoidance as a security awareness issue, the increasing frequency of specialized attacks like the W-2 scams might push more companies to augment their phishing prevention capabilities so they don’t have to rely so heavily on their employees.