A Two Headed Phishing Scam

 

 

The IRS has identified a new phishing scam in which the bad guys are successfully tricking organizations into sending employee W-2's as the first step, which acts as a verification of the org chart, and then makes a second request for a fraudulent wire transfer.

 

Some companies lost thousands of dollars to this fraud in 2016 alone. 

 

"This is one of the most dangerous email phishing scams we've seen in a long time," says IRS Commissioner John Koskinen. "It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns."

 

Last year, the IRS saw attempts to entice employees into sending out databases of employees' W-2 forms that contain employees names, addresses, Social Security numbers and wage data. To convince unwitting employees, the hackers modify the sender's address to make it appear the message comes from someone within the organization. The emails target those with access to employee payroll records with the sender pretending to be an executive.

 

Once the W-2's have been stolen and the hacker knows the employee has trusted the fraudulant sender's email request, the second part of the scheme is launched.  The employee again receives an email from the trusted executive requesting a wire transfer of funds to an account associated with the hacker.

 

Some companies have lost both employees' W-2s and thousands of dollars due to wire transfers," the IRS says.

 

How To Protect Against This Attack

The best defense focuses more on processes than technologies.

Employers must create internal policies and insure that employees are apprised of them. The rules should govern the distribution of employee W-2 information and initiating wire transfers. Email requests to send money must be verified with the person who requests it, either on the phone or in person.