Former Secretary of Homeland Security Jeh Johnson said last year that phishing is the biggest threat to your cybersecurity. The IRS shares his concern, and they’ve issued a warning about a new round of tax season attacks that have already claimed 29,000 victims.
As reported by CSO Online, the IRS is urging businesses and organizations to be on the lookout for scams relating to their employees’ W-2 forms. The W-2 is a treasure trove of personal information. Stealing them — or tricking an employee into handing them over — is a major win for fraudsters.
These tax record attacks follow a strategy used in other corporate phishing attacks. A cybercriminal poses as a high-level executive, often using a domain name that closely resembles a company’s actual name. If spacelysprockets.com was the real address, for example, they might send phishing emails from spacelyspr0ckets.com. That’s a zero, not an o… and that’s the kind of subtle change that phishing victims often overlook.
Example W-2 phishing email, courtesy KrebsOnSecurity
The bogus executive creates a sense of urgency and demands that someone in HR or Payroll forward all employee W-2s so that they can be “reviewed.” A number of high-profile companies were hit by business email compromises (or BECs) like this last year, and scammers appear to be off to a quick start this year, too.
A New Twist
The IRS also advised that scammers have tweaked their W-2 attacks this year. The added wrinkle: they’re also asking for wire transfers to be made. It’s a nasty one-two punch, and it could cost victims thousands of dollars… on top of the damage done by mass identity theft.