The threat of Business Email Compromise (BEC) scams -specifically W-2 scams- this tax season in the United States remains a threat to not only citizens and employees preparing their taxes, but for the businesses who employ them as well.
Business Email Compromise scams have been associated with tax season, which in the U.S., runs from January through April. As we head into the 2022 tax season, it’s a good time to remind employees how to recognize these emails fall prey to these scams.
In recent years, IRS has issued alerts that cybercriminals are using executive impersonation email scams. In 2021, they reminded taxpayers that the IRS doesn’t initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.
Executive impersonation Business Email Compromise (BEC) or Business Email Spoofing (BES) scams consist of cleverly manufactured emails designed to look legitimate – often using lookalike domain names to send the email – and have the appearance of coming from an executive. The email often asks for internal data that only a high-level executive can typically ask for and receive without additional checks and balances.
During tax season, the email often targets human resources or payroll managers, and they specifically request employee W-2 files, making it a W-2 scam. Cybercriminals comb LinkedIn and other social media sites to find the information they need to specifically target an individual employee, such as in this example:
United States Internal Revenue Service (IRS) W-2 Tax Forms are distributed in January every year by organizations to both employees and to the IRS, reporting the employee’s annual wages and the amount of taxes withheld from a paycheck over the past year. The form also conveniently includes all pertinent information needed to file a basic tax return – including the employee’s Social Security Number and current address. In W-2 scams, this is the form that is almost always requested by bad actors.
The IRS provides a valuable resource page for understanding these types of attacks and who to contact if you or your organization have fallen victim: https://www.irs.gov/newsroom/tax-scams-consumer-alerts.
Beyond Tax Scams
Though there is a heavy focus on tax scams in the first four months of the year in the U.S., BEC scams can be used in many ways, such as W-2 scams. These focused attacks attempt to compromise data or steal money by socially engineering an employee into taking an action, sometimes by sending a wire transfer or replying to the email with data. In other cases, employees are tricked into opening an attachment that contains malware. Indeed, ransomware is often distributed via targeted, customized emails, and all it takes is one employee to open the attachment. Human resources employees may be targeted more heavily, because they routinely receive emails from external email addresses with .pdf attachments.
How to Protect Your Organization from Tax Scams
- Employee education, awareness and empowerment are key to fighting social engineering tactics. Each employee must understand that they are the first line of defense and should question any out-of-the-norm communications.
- Employees (and all consumers in general) should be suspicious of pressure to take urgent action or action outside of normal business practices.
- Train team members to hit “forward” instead of “reply” so they are forced to type or select the correct “To:” email address. Forwarded W-2 scams only exacerbate the problem.
- Pre-establish internal checks and balances to prevent one person from being able to send a wire transfer or email sensitive information such as an entire employee roster.
In the name of best practices, it is recommended your business take a proactive step to prevent, detect, and mitigate the damage of fraudulent phishing and malware activity against your company here.
The IRS is recommending organizations report receiving W-2 scams to both the IRS at phishing@irs.gov with the subject line “W-2 Scams” and to the FBI’s Internet Crime Complaint Center (IC3).
For individuals whose W-2 forms may have been compromised in any W-2 scams, the IRS advises reviewing recommended actions by the Federal Trade Commission (FTC) at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft.
Additionally, during tax season often there are other IRS related scams in the form of phone calls demanding payment for a tax return. The IRS will never demand payment over the phone, call you for personal information, or threaten to bring in local law enforcement for non-payment arrest. Do not give out any personal information over the phone when you receive a call of this nature. Call the IRS at 800-829-1040 for help.
Author: Stefanie Wood – Director, Product Manager – Online, Brand, Fraud; OpSec Security