The IRS is warning of one of the “most dangerous” kinds of phishing scams in which fraudsters are successfully tricking organizations into sending wage data on employees and then making fraudulent wire transfers.
Some companies have already lost thousands of dollars to this fraud this year, the IRS says. The fraudsters have also widened their pool of potential victims beyond corporations to school districts, not-for-profit organizations, tribal casinos, chain restaurants and temporary staffing agencies.
“This is one of the most dangerous email phishing scams we’ve seen in a long time,” says IRS Commissioner John Koskinen. “It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns.”
Last year, the IRS saw for the first time attempts to trick companies into sending out batches of employees’ W-2 forms, the annual wage and salary reports required to file a tax return. The forms contain names, addresses, Social Security numbers and wage data.
To convince unwitting employees, fraudsters modify emails to change the sender’s address and make it appear the message comes from someone within the same organization. The emails often target payroll or human resources officers, with the sender purporting to be an executive.
On Jan. 25, the IRS warned it was seeing fresh attempts for W-2-related fraud this year. But then just over a week later, the IRS says it is seeing that scam wrapped with another one – fraudulent wire transfers.
The new strategy is a one-two punch. If the request for the W-2s is successful, the fraudsters come back with another request for a wire transfer.
“Some companies have lost both employees’ W-2s and thousands of dollars due to wire transfers,” the IRS says.
Over the past few years, fraudsters have had astounding success with the scams, which are sometimes referred to as business email compromise or business email spoofing. The FBI started tracking the activity in October 2013. Since then, the agency estimates criminals have collectively stolen or attempted to steal $3.1 billion globally.
The FBI’s Boston bureau warned in December of a dramatic increase in the scams. In Massachusetts, Maine, New Hampshire and Rhode Island, $33 million has been stolen, with an average loss of $90,000.
The scam is simple social engineering that takes advantage of weak internal controls. But the spoofing of email addresses can be difficult to catch. In another variation of the scheme, fraudsters will create email addresses using domain names that are one letter different in hopes no one will catch the mistake.
The problems seen today are due in large party to a big design flaw in the protocol for email. SMTP doesn’t verify that the sender’s domain seen in the “from” field matches the one from which it was sent.
More advanced fraudsters run phishing schemes to get email credentials to actually log into legitimate accounts. They then do extensive reconnaissance, figuring out an organization’s procedures in order to craft an email request for a wire transfer that won’t look suspicious.
Verify Wire Transfer Requests
The best defense against the attacks is focuses more on processes than technologies.
“Employers should consider creating an internal policy, if one is lacking, on the distribution of employee W-2 information and conducting wire transfers,” the IRS advises.
The FBI recommends that any email requests to send money be verified with the person who requests it, either on the phone or in person. That same advice could be safely applied to mass requests for W-2s.
The IRS says it has put in place measures that can identify fraudulent tax returns if an organization reports the theft of W-2s. The agency also advises that victims file a report with the FBI’s Internet Crime Complaint Center.