It’s officially an epidemic: More than 50 organizations have been successfully targeted by W-2 spear phishing attacks since January—and the list continues to grow, with Pivotal Software and Kentucky State University as the latest victims.
Companies in a wide range of industries from healthcare to storage manufacturing have been fooled by attackers into leaking their employees’ tax forms, including Snapchat, Nation’s Lending Corporation, Care.com and Sprouts grocery stores. Some attacks have exposed the confidential information of tens of thousands of people. Overall, the IRS said that it has seen a 400% surge in phishing and malware incidents so far this year, bent on stealing tax information.
In the Pivotal case, an unknown third party last week sent a fraudulent email message impersonating CEO Rob Mee to an employee requesting tax information about Pivotal employees. The company said in a notice [PDF] that the employee bought the ruse and responded to the request. No word on how many were affected, but Pivotal, a joint venture of EMC and VMWare, has less than 2,000 employees.
Kentucky State University meanwhile put 1071 employees in the hot seat after an employee last week inadvertently sent off KSU W-2s for 2015 and University identification information to criminals.
The scheme is fairly straightforward—using the whaling form of phishing, the attackers send an email to a finance department employee posing as a top executive. That email asks for employee W-2s—tax forms that contain everything an identity thief would need to file a fraudulent tax refund request, among other things. Given that this is tax season in the U.S., such a request from the supposed CEO/CFO is not outlandish, and usually the perpetrators spoof the email addresses to look legit.
“Since January, at least 55 companies have announced that they had fallen victim to a highly tailored spear phishing scheme,” said Tom Landesman, a researcher at Cloudmark Security, in a blog. “This scheme is responsible for stealing and compromising the W-2 U.S. tax records of every employee working for these companies during 2015.”
The first step, he said, begins with a bit of research about a company. Scraping popular forms of public data, such as LinkedIn and Twitter, often yields the names and titles of many employees in a company.
“Then, a quick search for the company’s website will often provide the name of the domain used in their email,” he explained. “With these items in hand, attackers now have their target’s email address as well as the email of a higher ranking member of the company — often a CEO or CFO.”
The fallout from the epidemic is likely to be serious. W-2 documents have a wide range of sensitive information that can be used for various forms of identity fraud, including stealing victims’ tax returns. This has become a shockingly vibrant cottage industry.
“Rapper J-Creek has a song on YouTube about the need for a money mule (or ‘drop hoe’) to collect fraudulent tax refunds,” Landesman said. “There are even reports of classes on how to file fraudulent tax returns being held in church basements.”
But, there are other things that can happen too. “Criminals harvesting W-2 information by spearphishing will probably not exploit them directly,” he added. “These compromised data sets will probably be sold off on underground, Silk Road-like forums to a number of different small operators who will file fraudulent tax returns in the name of the victims.”
Obviously the gaping issue here is employee awareness. At the very least, when confronted with an email requesting that amount of sensitive personal information, payroll employees should verify the request with a phone call.