Cybersecurity Threats: W-2 Scam Targets Payroll and HR Employees

Posted by Sam Bloedow on 3/1/17 4:29 PM

W-2 Scam is a targeted Cybersecurity Threat

The Minnesota Department of Revenue is warning organizations of an uptick in phishing attempts by cybercriminals to steal W-2 information from businesses, schools and non-profits. This is not a new cybersecurity threat. In fact, it was one year ago today that a similar warning was published by the IRS. If you have IT services from a company like Thriveon, you may have several technical layers of protection that do not allow this type of email to get through to employees, but cybercriminal tactics are evolving every day, and a layered defense includes awareness of cybersecurity threats such as this. 

How to recognize the scam

The scam or "phish" will be an email to someone who is in Payroll or HR and will appear to be from an authority in the company, such as the CEO or the CFO. The text in the email will say that the executive wants to review all of the payroll data and he would like the W-2s of all employees emailed to him. Here are some examples of the wording:

“Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
“I want you to send me the list of W-2 copy of employees wage and tax statement for 2016. I need them in PDF file type. You can send it as an attachment. Kindly prepare the lists and email them to me asap.”

How the scam works

The success of this scam is due to the trusting nature of the employee and the targeted approach of the cybercriminal. This sort of manipulation is called Social Engineering. The criminal has researched the company and knows exactly who in Payroll or HR to send the email, and knows the names of the people in authority at the company. When the email comes through it appears to be from someone internally. In otherwords, they have "spoofed" the name and address to look like it is really from that person. The unsuspecting victim complies in deference to authority even though the request seems out of the ordinary. 

How they make money doing this

These cybercriminals intend to monetize the personal information that they collect by filing fraudulent tax returns or selling the information on the black market which can be used for identity theft.

What to do if you get a suspicious email

Do not reply to the email. Contact your IT support company immediately and relay your suspicion. They might ask you to forward the email to them so that they can determine its origin. Most importantly, verify with the person who appears to be the email sender that they did, in fact, make this request. If you do not have a direct line of contact with the executive, talk to your supervisor and get some help to verify the sender and the message.

Multi-Layered Defense

The best defense has multiple layers. In addition to technical tactics that protect your network perimeter, you should train employees to recognize the different ways that cybercriminals gain access to business and personal data through other means. Get the E-Book Cybersecurity Guidelines for Secure Behavior Online and in the Office to get practical advice that you can use today to protect your company from cybersecurity threats.

download our cybersecurity ebook

Topics: Cybersecurity