Lookout for W2 Phishing Attacks During Tax Season

Female working on her computer while on the phone

Tax season is a particularly busy time of year for folks from the payroll department and the finance team. They are preparing to deliver statements that must be correct for their employees to be able to pay their taxes. They aren’t the only folks that are busy — hackers are also ramping up their game.

Cybercriminals start their tax season by researching websites of companies who make enough money, have a good number of employees, or might be lax when it comes to security. Organizations operating in certain industries are go-to targets such as healthcare, legal, and manufacturing; their websites almost always contain enough information to get the ball rolling. Tidbits such as the HR leader’s name and the executive team’s information can be relatively easy to find.

A W2 phishing attack example

All a hacker needs is a sample of what an organization’s internal email looks like and an employee careless or distracted enough to make a mistake. Let’s explore a scenario of how a W2 phishing attack can occur.

An email appears in the inbox of an unsuspecting HR Director…

“Hi Naomi, we are starting an audit today with our new auditing partners, please immediately send them our latest W2 file to the following email address.”

The email that Naomi received looks seemingly like it came directly from the chief financial officer (CFO). Without questioning anything, she pulls the W2 file, but notes the file size is too large to send via email, so she responds to the original request to let the “CFO” know. With a swift response, the hacker poses as the CFO once again and gets back to her saying:

“No problem, here is a DropBox location where you can post the file.”

Nobody falls for this stuff, right?

The HR Director uploads the W2 file to the DropBox site and sends an email to the “auditor,” then goes on a short break. Upon returning to her desk, she notices that the email has bounced. Getting nervous, she picks up the phone and calls the real CFO to tell him that her email is not delivering… He immediately asks the question, “What auditor?”

In a blind panic, she pulls the W2 file from the DropBox account as she explains to the CFO what had occurred. His response was naive:

“The file has only been out there for a few minutes, right? Don’t worry about it. Everything is going to be just fine.” They both thought that was the end of the matter.

Two weeks later, Naomi was having lunch with an IT analyst, when she recounted the story of the near miss. The analyst immediately raised the issue up the chain of command to the chief information officer (CIO) and chief information security officer (CISO).

The CIO called the CFO and said:

“I’m going to need budget set aside for identity protection for all of the people listed in the W2 file and we need to call the IRS, FBI, and the Colorado Bureau of Investigation. Unfortunately, there is more than 600 names on that file, and this constitutes a breach. I will have to report this out to the federal agencies and the attorney generals of all of the states involved.”

Cutting to the chase, identity protection was purchased and the breach was reported to the appropriate parties. Upon investigation, the hacker was after the W2 information to conduct tax fraud with the government using contacts that were in the file. Luckily, the potential disaster was averted, but if the hack had been successful, a multitude of tax returns would have been submitted on behalf of the people that were named on the list. The list would have been either sold, or dropped onto the dark web for the purpose of identity theft.

The HR director could have avoided this level of disruption very easily had she questioned these context clues in the original email:

  • The auditor’s email address was a Gmail account.
  • The urgency of the email should have raised red flags.
  • While the style of the email was exactly what internal emails look like, most executives won’t force an urgent request on sensitive data and would not find ways around internal security controls.

Reduce risk to W2 phishing attacks during tax season

As shown in the example with Naomi, employees make mistakes and unfortunately fall victim to phishing scams. The reality is, we live in a world where a simple email can lead to major disruption for the business.

With tax season among us, it’s important that security leaders educate the workforce on potential phishing scams and to be on high alert for W2 phishing attacks. Encourage employees to flag anything suspicious and when in doubt, pick up the phone and call the leader that is asking for urgent information. Make sure to do this on an internal phone list because hackers will stand by to answer calls from the phone number labeled within their fake email. Share these ten tips to help them stay vigilant against suspicious emails.

For more tips on spreading awareness across your organization, download The Security First Guidebook to help you establish a robust awareness program and security-first culture.