OK, heads up! This tax season there is a widespread new scam that specifically targets your HR and Accounting professionals. They get an urgent email from "the CEO" who asks them for all W-2 information of all employees. People are falling for this in droves. The reports are coming in by the hundreds and even the IRS has put out an alert about this scam. If they are jumping in you know it's serious.
DO THIS FIRST : So, before anything else, I strongly suggest you warn your Accounting and HR teams NOW that there is a new strain of CEO Fraud asking for W-2's. Tell them to watch out for fraudulent emails asking for W-2 information, and to always verify requests like that using something other than email (phone, text). Warning these teams immediately may prevent a host of expensive problems.
Here is what the IRS said: "This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments,” said IRS Commissioner John Koskinen. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”
IRS Criminal Investigation already is reviewing several cases in which people have been tricked into sharing SSNs with what turned out to be cybercriminals. Criminals using personal information stolen elsewhere seek to monetize data, including by filing fraudulent tax returns for refunds.
This phishing variation is known as a “spoofing” email. It will contain, for example, the actual name of the company chief executive officer. In this variation, the “CEO” sends an email to a company payroll office employee and requests a list of employees and information including SSNs.
The following are some of the details contained in the e-mails:
- Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
- Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
- I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.
KnowBe4 was alerted early by customers that are using our (free) Phish Alert Button. This Outlook add-in allows their employees to click on just one button to delete phishy emails and forward them with the headers to IT. We even received one of these scams ourselves, and posted about it. Here are just a few other posts that illustrate the danger, but there are many, many more:
- 11,000 W-2's stolen from Health Care Workers
- SnapChat Employee Falls For W-2 Phishing Scam
- W-2 Tax forms for more than 2,500 GCI employees stolen in email scam
- Seagate Phish Exposes All Employee W-2's
- Billy Casper Golf
- Evening Post Industries
As part of the warning, one thing you can do is download this PDF, print it out (and perhaps laminate) and ask HR and Accounting to read it and then pin it to their wall. It's got all the 22 social engineering Red Flags they need to watch out for. The Content section asks a few questions that would give someone pause before sending all employees' W-2's.
I was recently interviewed by ABC Action News on the subject of email spoofing and CEO fraud, see the video below:
Here is a way to manage the problem of this type of CEO Fraud. Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old school Security Awareness Training doesn’t hack it anymore. More than ever, your users are the weak link in your network security. Get a product demonstration of the innovative KnowBe4 Security Awareness Training Platform. In this live one-on-one demo we will show you how you can:
Send Simulated Phishing tests to your users and manage the Phish-prone percentage of employees.
Roll out Training Campaigns for all users (or groups) with follow-up emails to “nudge” users who are incomplete on the training.
Point-of-failure training auto-enrollment.
NEW Phish Alert Button for Outlook so employees can report phishing attacks.
NEW Advanced Reporting to watch your Phish-prone percentage drop, with great ROI.