W-2 Image Exploits: With the Tax Season Come the Thieves
By: Sean B. Hoar
If you process or store Form W-2 Wage and Tax Statements, you are a target.
The Form W-2 contains everything a malicious actor needs to file a false tax return with the Internal Revenue Service (IRS) and steal a refund. Because a W-2 contains a consumer Social Security number (SSN), it is highly valued on the dark web, and therefore highly sought after by thieves.
The tax season will begin on Monday, January 28, 2019, the date when the IRS will begin accepting 2018 tax returns. This is also the day when malicious actors will begin to file fraudulent tax returns. They are currently very busy attempting to steal W-2 images through the process of social engineering.
How social engineering works
Malicious actors, through reconnaissance, will determine which employees are likely to have access to W-2 images. It is typically human resources personnel who process, transmit, or store this information.
The malicious actors will then attempt to “phish” employees’ W-2 images from those personnel. The malicious actor will typically pose as a superior officer in the organization, often the Chief Financial Officer, by “spoofing” the email address of that officer. The phishing email will request that the employee place all the W-2 images in a zip file and return them via email in preparation for the filing of the annual corporate tax return. If the social engineering attack is successful, the malicious actor will then immediately attempt to electronically file tax returns with information from the stolen W-2 images.
How to prevent an attack
In order to prevent what is referred to as the W-2 image exploit, it is critical that all employees who have access to W-2 images understand that they will be targets of phishing attacks.
They must be directed to never disclose those images to anyone requesting them via email. If they receive an email requesting W-2 images, or other sensitive information, they should always personally contact the person who is perceived to have requested the information and confirm that, in fact, the person requested the information for legitimate business purposes.
Although it can be uncomfortable confirming what may appear to be a simple business request from a superior, it will prevent the W-2 image exploit 100 percent of the time – and any reasonable manager or officer will appreciate that an employee prevented the fraud. It is what we refer to as the employee being the “human firewall” to prevent the malicious attacks.
Who else is at risk
Accounting firms should also be on high alert that malicious actors are currently attempting to hack into their tax platforms in order to steal 2017 tax returns. The malicious actors will then use the information to fraudulently file 2018 tax returns and steal the refunds.
All firms containing sensitive information should have all appropriate security controls enabled, including strict access controls and intrusion detection systems, to prevent or quickly detect system intrusions.
Read more about how to protect yourself from social engineering attacks in our post “Social Engineering Targets: Email Compromises - a Quick Prevention Guide” from October 15, 2018.