W-2 spear phishing taking a toll, plus phone hijacking

After Duke Hobbs filed his recent federal tax return, the U.S. IRS notified him that it had already received his return and issued his tax refund. Dumbfounded, he immediately visited a local IRS office to discuss the situation and get help. The staff member told him that he was a victim of tax refund fraud and gave him instructions to remedy the problem. Returning to work the following week he told some of his co-workers about his problem and was surprised to hear that others in the organization were also victims of the same scam. These victims were greatly concerned that so many employees in the same organization got scammed. In a follow-up discussion with IRS agents at the local office, the agents told the victims that criminals probably used the recent popular W-2 email phishing scam to target their employer to gain important personally identifiable information (PII) about them.

W-2 email phishing swindle

This scam emerged during the 2016 tax season and, like other successful schemes, has evolved in scope to become a popular and lucrative profit center for cybercriminals. During the 2016 tax season the cybercriminals targeted organizations in the corporate world, but starting in the 2017 tax season the scam spread to other sectors, including tribal organizations, school districts, restaurants and hospitals. IRS commissioner John Koskinen established the severity of the problem in a Feb. 2, 2017, press release. (See Dangerous W-2 Phishing Scam Evolving; Targeting Schools, Restaurants, Hospitals, Tribal Groups and Others.) “This is one of the most dangerous email phishing scams we’ve seen in a long time,” said Koskinen. “It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme.”

Compared to a mass email phishing scam, the W-2 email phishing scam is classic spear phishing. It’s sometimes referred to as a business email compromise (BEC) or business email spoofing (BES). (For an explanation of the BEC see my January/February 2016 Fraud Magazine column Business email scam rampant.)

In a mass email phishing scam, a cybercriminal normally targets hundreds, if not thousands, of potential victims at the same time. However, in a typical spear-phishing scam, the cybercriminal preselects an organization and impersonates a company executive when targeting an employee — usually one who has access to important information or has the authority to transfer money. For example, in both variations, the fake email will typically include the actual name of the company CEO. In a March 1, 2016, press release the IRS revealed these examples of some of the details that are included in the fake W-2 emails:

• “Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
• “Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary)?
• “I want you to send me the list of W-2 copy of employee’s wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

With the W-2 email phishing scam, the scammers ask payroll or human resources staff members for copies of W-2 forms for all employees. The forms contain a wealth of PII, including names, addresses, Social Security numbers, salary, wage and withholding information. The criminals use the pilfered information to file fake income tax returns and sometimes follow up with a request to wire transfer money to an account. (For an analysis of the issues relating to income tax refund fraud, see my two Fraud Magazine articles “Identity theft tax refund fraud — parts 1 and 2” from March/April 2014 and May/June 2014, co-written with Tiffany McLeod and Adrian Harrington.) Thus, an organization is hit with a double whammy — loss of W-2 information and money. In addition, employees who are caught in the trap face the risk of fraudsters using the W-2s’ PII in numerous identity theft scams, including income tax fraud.

In a Feb. 21 PSA, the FBI instructs organizations to report the W-2 email phishing scam and help protect employees by emailing the IRS immediately at dataloss@irs.gov. They should type “W-2 Data Loss” in the subject line and provide this information:

• Business name.
• Business employer identification number (EIN) associated with the data loss.
• Contact name and phone number.
• Summary of how the data loss occurred.
• Number of employees impacted.

To reduce the risk of becoming a victim of the W-2 email phishing scam or executing a fraudulent wire transfer, the FBI recommends that organizations adopt some of these methods:

• Limit who has the authority to approve and/or conduct wire transfers and handle W-2 related requests or tasks.
• Use “out-of-band” authentication to verify requests for W-2-related information or wire transfer requests that appear to be coming from executives. These extra steps might include speaking to the executive to obtain verbal verification, establishing a phone Personal Identification Number to verify the executive’s identity or sending the executive via text message a one-time code and a phone number to call to confirm the wire transfer request.
• Delay the transaction until staff members obtain additional verifications, such as waiting until the bank contacts them to confirm the transfer.
• Require dual-approval for any wire transfer request involving one or more of the following: 
  • A dollar amount over a certain amount.
  • Trading partners who aren’t on a “white list” of approved trading partners to receive wire payments.
  • New trading partners.
  • New bank and/or account numbers for current trading partners.
  • Wire transfers to countries outside of the normal trading patterns.

Phone hijacking

Over the past decade, smartphones have become a major fixture in the hands of most individuals throughout the world. They’ve enhanced and improved our communication and decision-making processes. New innovations in smartphone technology emerge every year, which is leading to new functions and greater data storage capacity.

But along with the good comes the bad. Cybercriminals have been diligent in adapting old schemes and developing new ones to download malicious malware that steals unprotected PII and other resources from individuals.

According to the Identity Theft Resource Center’s scam alert Phone Hijacking: The Latest Identity Theft Threat, phone hijacking is a form of account takeover. Although exact data isn’t available for 2017 and the early part of 2018, smartphone hijacking doubled in size in 2016, and all forms of account takeover scams resulted in financial losses of more than $2 billion.

A thief pulls off this scam by gaining access to the victim’s PII (password, email address, cellphone number — especially useful if it’s being used as the cellphone account user name), medical account information, and Social Security number and date of birth from various sources. The thief then gains control of the victim’s account by visiting a mobile carrier store and gives the victim’s name and PII to convince a salesperson to upgrade the account and leaves with a couple of new phones.

Red flags that your smartphone might have been hijacked include:

• Your phone stops working or experiences glitches.
• Your next phone bill includes charges for new phones.
• You receive a “changed password” message from your provider.

A victim should contact their provider if they’ve observed any of these red flags. An important takeaway: Don’t reuse your password. Data breaches have increased significantly over the past few years, so it’s more likely that thieves will compromise passwords and other important PII.

Share this information with your business associates, family, friends and clients and include it in your outreach programs. New identity theft scams and new versions of old ones continue to emerge. You’ve been forewarned, so tread with care!

Please contact me if you have identity theft or cyber-related issues you’d like me to research and possibly include in future columns or feature articles, or if you have any questions about this column or other cybersecurity and identity theft issues. I don’t have all the answers, but I’ll do my best to help. Stay tuned!

Robert E. Holtfreter, Ph.D., CFE, CICA, CBA, is distinguished professor of accounting and research at Central Washington University in Ellensburg, Wash. He’s also on the ACFE’s Advisory Council and the Editorial Advisory Committee. Holtfreter was the recipient of the 2017 Hubbard Award for the best Fraud Magazine feature article in 2016. Contact him at doctorh007@gmail.com.