W-2 forms are an essential part of our working lives in the U.S. At the end of each year, a company will provide employees and the IRS with their W-2 form. The employee then uses this form to fill in their taxes. The W-2 form contains a lot of personal details, including annual wages, taxes withheld, the Employer Identification Number (EIN) and the employer’s state ID number. It also contains personal data such as employee name, address and Social Security number.
All of these data are like a carrot to a donkey in terms of attracting cybercriminals. And it is the desire for these data that has been the driver for the development of the W-2 scam.
W-2 scams are a form of identity theft that involves socially-engineered phishing techniques. Because of the intrinsic link with taxes, the scams usually happen around tax season; as such, W-2 scams have now become kind of annual ritual in the U.S.
What Exactly Is a W-2 Scam?
A W-2 scam is part of a general socially-engineered phishing campaign. The campaign’s aim is to get copies of employee W-2 forms, so they can be used to get access to monies, including tax returns.
The phishers use behavioral manipulation and trickery to ensure their phish is successful. The scam is often compared to a Business Email Compromise (BEC) scam because it is very similar in execution, only with the target item being the W-2 form rather than sequestering general company funds.
A typical W-2 scam would involve the following steps:
- The cybercriminal will choose an organization — usually one where there are enough employees to make the effort of surveillance and phishing worthwhile.
- They then carry out surveillance on the organization to identify a key executive-level worker, usually someone in HR or payroll.
- The attacker will then create a spoof email to look like it has come from the identified person in HR/payroll. They use various BEC-derived techniques to make the email look legitimate.
- This spoof email may be part of a longer relationship-building exercise. Initial emails building up a rapport with the target before striking
- When the right level of trust has been built up, the phisher goes in for the kill and sends the email with a request for W-2 forms. This will be along the lines of: “Can you just send me over PDF versions of W-2 forms for employees showing wage and tax statements for the year?”
Once the phisher has this data in their hands, they can go ahead and carry out tax fraud and sell the personal data on the Dark Web.
There are variants on the above, but the basic steps of surveillance, identifying targets and gaining trust are the same.
Some Examples of W-2 Scams
W-2 Scam of 2016
The IRS put out a notice on March 1st, 2016 notifying consumers of a scam which involved impersonation of company executives. The fake executive sent out emails to HR and Payroll employees. The IRS identified key phrases used to trick the employees into sending the scammer W-2 forms:
- “Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
- “Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).”
- “I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”
This scam was said to have affected over 41 organizations in 2016, including SnapChat, Seagate and York Hospital.
W-2 Scam of 2018
By 2017, the W-2 scam list of individual companies affected had grown to 200 organizations with firms like Coupa seeing all 625 employees being affected. The IRS put out an alert in January 2018 to try to preempt W-2 scam season. The IRS warned that 2018 would see an expansion of the types of affected companies, with a move outside of the corporate world into the public sector, including school districts. Companies like ComplyRight were phished in 2018, affecting 662,000 individuals.
Ways to Prevent Becoming a Victim of a W-2 Scam
W-2 scams are dependent on social engineering tricks to manipulate people into releasing sensitive information – this data then used to perpetuate the crime. There are key ways to make sure that you don’t fall victim to the subtle and cunning ways of the W-2 scammer:
- Ensure the workforce are aware of W-2 scams as part of your ongoing security awareness training
- Have a process in place to check the validity of W-2 form requests. This can take the form of a “human second-factor authentication”, e.g., have a system of cross-check and approval for W-2 processing requests; this can be as simple as all requests for the transfer of W-2 forms being cross-checked with the requester directly, by voice or in person
If you do receive a suspicious email, check out the reporting steps provided by the IRS and give them the details needed to help prevent these scams in future years.
If you stay wise about W2-scams and put in place procedures to avoid the release of employee data to malicious entities, you will be able to have a W-2 scam-free 2019.
- ComplyRight Data Security Incident Notice, ComplyRight
- Form W2 SSN Data Theft: Information for Businesses and Payroll Service Providers, IRS.gov
- IRS, States and Tax Industry Warn Employers to Beware of Form W-2 Scam; Tax Season Could Bring New Surge in Phishing Scheme, IRS.gov
- Silicon Valley Firm Coupa Hit by W-2 Fraudsters, Bank Info Security
- Security breach notice, York Hospital
- Submitted breach notification sample, SnapChat Inc.