In early February, the IRS issued “an urgent alert” concerning the latest version of the phishing scam that targets W-2 payroll information. In a scenario that has played out countless times, hackers generate a fraudulent email that looks like it came from an organization executive, asking HR personnel to send back employee W-2 forms in a return message. When the forms are sent, they are used to file fraudulent tax returns and for other malicious purposes. This particular scam generally works as follows:
An employee in the targeted organization’s HR department receives a “spoofed” email, which superficially appears to come from a high-ranking member of management;
The spoofed email asks the employee to respond with electronic copies of the previous year’s W-2 earnings statements (which will include employees’ social security numbers, compensation information and home addresses) for all of the organization’s employees; and
The employee, believing that he or she is being responsive to a request from senior management, replies to the spoofed email with the requested tax information.
While all “social engineering” scams seek to find and exploit human weaknesses in order to gain access to sensitive information, this scam is brilliantly cynical: it exploits the imbalance of power between senior management and subordinate personnel by inducing a sense of urgency and desire-to-please with the goal of overwhelming the subordinate’s ability to think critically about the information request. Like any good card trick, the spoofed email creates a psychological distraction that blinds the recipient to the sleight of hand taking place right before his or her eyes.
The consequences of a successful W-2 phishing scam can be extremely serious for the target. Data breach notification laws may require delivery of notices to affected employees, government agencies, credit reporting agencies and/or the media. The organization will also need to report the incident to local and federal law enforcement agencies, as well as the IRS. In short, it will be a costly, time-consuming, distracting and morale-draining experience to deal with the aftermath of a W-2 phishing scam.
In its February alert, the IRS emphasized this scam has begun circulating even earlier this year and is targeting a broader group of organizations including school districts, chain restaurants, and health care organizations. IRS Commissioner John Koskinen called it “one of the most dangerous email phishing scams we’ve seen in a long time.” He stressed the need for vigilance and prompt reporting of incidents to the IRS, by forwarding these messages to firstname.lastname@example.org, under the subject line “W2 scam.”
As always, the first line of defense against every scam is workforce training and vigilance. In addition to sensitizing personnel to this and other phishing dangers, the IRS recommends organizations adopt a formal written policy about the distribution of W-2 information and other sensitive data. We recommend adopting a general policy triggered whenever an employee gets a request for any sensitive data from a colleague, requiring the employee to start a new email to the purported originator of the message, and never reply directly to the email. You can see the IRS alert on this subject here.