Tax season is always the favorite time of the year for adversaries aiming to gain access to payroll data, but this year phishing schemes have surfaced earlier and in greater quantity than usual. A couple of months ago, the personal and financial information of the city of Batavia’s personnel was compromised due to email phishing of W-2 tax forms. The information included social security numbers, addresses, earnings, and names of several hundred councilmen, staffers, and others who had received W-2 forms from the city of Batavia.

The threat actors are conducting extensive due diligence on the social engineering aspect, which is enabling them to identify school executives, HR professionals or others in a role of authority. Utilizing a technique known as BEC (business email compromise), adversaries are effectively spoofing the senders’ accounts. Both the “FROM” and “TO” fields contain legitimate email addresses, and unsuspecting personnel rely on the accuracy of the sender’s email address to share the requested information. The information is transferred to a hidden email address managed by the adversary.

An enterprise victimized by a payroll phishing scam can experience a long list of negative consequences, including significant imputed and out-of-pocket costs from obeying mandatory breach notification laws; distracted, anxious and furious employees; and class action litigation in some cases.

How Cyber Criminals Benefit from W-2 Data

Successful phishing schemes result in adversaries obtaining troves of sensitive data including social security numbers, addresses, salaries, date of birth, employer information, as well as names required for tax filings. Cybercriminals will use their newfound “assets” to file and process fake tax returns (Form 1040) which create illegitimate refunds or sell sensitive information to identity thieves through the black market.

Notably, the emails aren’t limited to requesting W-2 information. According to the IRS, they can request wire transfers in addition to payroll-related forms and even target district hospitals and educational institutes.

The IRS also notes that it never initiates any form of communication with taxpayers via SMS, social media, or email to request financial or personal details. Any contact from them will be an answer to a message initiated by the taxpayers. Cybercriminals, therefore, rely on the higher-ups within target organizations to supply them with W-2 records of company personnel.

How to Detect Payroll Phishing

Before handing over any W-2 information or records, recipients should scrutinize a tax preparer’s/requesting party’s credentials. For example, cross-check information in the directory of federal tax preparers. Asking co-workers if they’ve received any such email and whether the sender had the same email address in the past. Also, be wary of emails that appear to be from your financial advisor or your boss.

Also, recipients should see if the email comprises any of these elements:

– Emails are sent with an urgency that the information needs to be “sent back ASAP,” or “reviewed immediately.”

– W-2 records (consisting of salaries, addresses, date of births, social security numbers and tax documents) are requested in large quantities as an Excel document or a PDF, for example.

– In rare instances, the sender may request login information to document sharing websites or request transfer of the records through DropBox if the W2-files are too large.

If it does, it is likely a payroll phishing attempt. Delete it and start warning others.

Ethical Hacking Training – Resources (InfoSec)

Keeping Payroll Phishing at Bay

Payroll phishing attacks can be mitigated by having an ironclad rule that no matter who requests W-2 forms or another document for tax filing purposes, the files do not have to be sent until double-checked explicitly by the CFO or a manager, and the request is verified through the telephone. Organizations often have policies regarding what type of information can be sent via email.

Also, educate personnel on how phishing scams contain careless copy in some instances. These are emails that, at initial glance, look normal but upon a closer look reveal letters replaced by numbers and small spelling mistakes (e.g., Kindly send us yore W-2 record ASAP). Encourage them to be wary of each unexpected email and to create a risk mitigation culture where staff members feel comfortable with informing the security team of any messaging that looks suspicious.

It’s also a good idea to test where your organization’s security culture stands. In the past, that had to be done via manual exercises where employees are called in a room and asked to respond to a message they see on a big screen. Written tests were also the norm. Today, robust phishing software solutions like InfoSec’s SecurityIQ enable managers to send illegitimate phishing emails to employees. The manages then receive a report on the employees’ responses, which can help them understand whether their security awareness programs are working and what aspects need to be beefed up.

Another thing companies can do to protect against payroll phishing is to deploy continuous security monitoring. While fraudulent emails simply try to steam W-2 records when it comes to payroll phishing, in other cases threat actors have a different aim. That aim may be to distort a corporate network, access a trove of sensitive files, steal system resources and other enterprise secrets. To protect your infrastructure, set up a security baseline by installing a continuous monitoring system.

With continuous vigilance, even if a phishing attack manages to break the outer layer of your security defenses, you will be notified immediately if the adversary attempts to use your infrastructure resources and therefore can take appropriate measures to stop it in its tracks.

Final Verdict

The W-2 email is just one of the multiple new variations of payroll phishing that have appeared in the last few years with a focus on the big sweep of sensitive payroll information. While anyone’s lapse of judgment or carelessness can fulfill the aim of an adversary, a combination of security awareness, periodic analysis, and continuous monitoring can make your defenses very difficult to break down. For smaller companies, the best thing they can do to prevent these attacks is to be on high alert.