At the beginning of this month, the Internal Revenue Service issued a warning to payroll and human resource professionals to alert them of a new twist on an old type of cyber attack. This came a month after the IRS reported a 400 percent rise in tax related attacks and malware. It seems that hackers have now set their sites on payroll companies in particular in order to mine valuable data and steal information from unsuspecting employees, according to the IRS website.
By impersonating company executives, the hackers have been able to trick human resources professionals into sending them employees’ W-2s. The method of attack is a simple phishing email, which, as we reported in a recent blog, is not difficult for a hacker to implement and reaps large rewards if the victim falls for it.
Why do hackers want W-2s? An employee’s W-2 contains a name, social security number, address, and earning information for the previous year - everything a criminal needs in order to perform tax refund fraud.
“This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments,” said IRS Commissioner John Koskinen.
Many large companies have recently been hit with this kind of attack including AmeriPride, Evening Post Industries, Main Line Health, Seagate, Snapchat, and more. The IRS is currently reviewing these cases and working to file criminal charges against the hackers.
Seagate suffered a particularly bad attack. Though the attack is still being investigated by the IRS, they believe several thousand current and past employees will be affected. Seagate is offering their employees credit monitoring services through Experian. However, the biggest threat they are facing - tax refund fraud - won’t be helped through credit monitoring.
The hackers have been so successful because they use a technique known as spoofing (a variant of phishing). Spoofing allows them to replicate a company email address exactly so that it appears like the email is coming directly from the CEO. If employees aren’t educated, they are none the wiser. In the email, the “CEO” will send an email to a payroll department employee, asking for a list of employees and information about them including their social security numbers.
IRS.gov lists the following phrases commonly used in the phishing email:
“Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
“Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).”
“I want you to send me the list of W-2 copy of employee wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”
To combat this, Commissioner Koskinen said, “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”
In addition to educating employees about these types of emails, companies should always have a hardware firewall installed to filter out these types of threats in the first place. While it may not stop all phishing emails, it can help.