W-2 Fraud on the Rise Says FBI

On March 6th, 2018, posted in: spearphishing by konweb

Oh the joys of tax season! Nothing warms the heart quite like sending off checks to the IRS. Of course, before you can file your taxes you’ll need to get your W-2. And your friendly cybercriminal knows this and is more than happy to take advantage of your trust and expectations of communications about W-2 forms.

Batavia Fell Victim

You may recall that on February 6th we reported that the city of Batavia, IL fell victim to exactly this sort of scam. Well last week the FBI released Alert I-022118-PSA on the very same subject. It’s too bad that this report comes too late to help our friends in Batavia, but it will hopefully help others.

From the IRS:

Beginning in January 2017, IRS’s Online Fraud Detection & Prevention (OFDP), which monitors for suspected IRS-related phishing emails, observed an increase in reports of compromised or spoofed emails requesting W-2 information. Sometimes these requests were followed by or combined with a request for an unauthorized wire transfer.

The most popular method remains impersonating an executive, either through a compromised or spoofed email in order to obtain W-2 information from a Human Resource (HR) professional within the same organization.

Individual taxpayers may also be the targeted, but criminals have evolved their tactics to focus on mass data thefts.

If you or your organization suspects that it may have been compromised by a phishing scam of this type here is what you should do.


If notified quickly after the loss, the IRS may be able to take steps that help protect your employees from tax-related identity theft. To contact the IRS about a W-2 loss, email IRS at dataloss@irs.gov and provide the information listed below so the IRS can contact you. In the subject line, type “W-2 Data Loss” so that the email can be routed properly. Do not attach any employee personally identifiable information (PII) data.

Provide the following information in your email:

  • Business name
  • Business employer identification number (EIN) associated with the data loss
  • Contact name
  • Contact phone number
  • Summary of how the data loss occurred
  • Volume of employees impacted

Note: The IRS doesn’t initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. Any contact from the IRS will be in response to a contact initiated by you. Criminals, when they learn of a new IRS process, often create false IRS web sites and IRS impersonation emails.

How Konsultek Can Help

Spearphishing attacks are just one of many different types of security issues that we help clients with every day. As the unfortunate incident in Batavia shows, even organizations with just a few hundred employees can make attractive targets for scammers. Don’t fall victim. We’re here to help. Just call us and we’ll be happy to discuss your unique situation.


read more

Just to prove the point that no organization is too small for hackers to target, Batavia Illinois was hit with a spearphishing campaign last week.

According to KaneCountyConnects.com the phishing attack affects several hundred employees, councilman and others receiving W-2 forms from the city of Batavia.

Classic Spearphishing

We’ve reported similar scams here in the past. The scammers leverage the trust and authority of an organization’s executive member to request sensitive information. In the case of Batavia the “executive” apparently requested that a file or files containing W-2 information be emailed to him. This has resulted in names, social security numbers, addresses and earnings being transferred to the scammers.

Wait, We’re Not Done Yet

While it is unclear whether Batavia also fell victim to a second ancillary wire transfer scam, according to the IRS more than one organization has been hit with a 1-2 punch this tax season. The second part of the scam is for an “executive” to request a wire transfer of funds, typically from the comptroller or someone in payroll.

Question Anything That Looks or Smells Phishy

Spearphishing works so well because the of the leveraged executive authority and because the request often seems totally reasonable and topical. Now of course is the heart of tax season and so it is perfectly reasonable for certain executives to be requesting tax related information. It is therefore incumbent for for organizations to train their employees to review all such requests closely to make sure they are real. A quick phone call is often all it takes to confirm the validity of a request and executives should laud the employee who makes that call rather than rebuke her.

The IRS has developed a whole educational series on the subject called Don’t take the Bait that could be used by any organization to raise awareness and begin to develop a culture of security.

How Konsultek Can Help

Spearphishing attacks are just one of many different types of security issues that we help clients with every day. As this attack shows, even organization with just a few hundred employees can make attractive targets for scammers. Don’t fall victim. We’re here to help. Just call us and we’ll be happy to discuss your unique situation.


read more

Closing on a Home? Beware of Spearphishing

On November 3rd, 2017, posted in: spearphishing by konweb

We’ve highlighted spear phishing in the past and noted that what makes it most effective is when one of the parties carries some level of authority; there is a legitimate/expected reason for this authority to be contacting the victim and there is a large sum of money in play.

The Home Closing – The Perfect Spearphishing Opportunity

You have to hand it to the cybercriminal mind. When homeowners are going to closing you have:

1. An authority figure [Title or Escrow Agent]

2. A reason for that authority figure to be contacting the victim [Funds needed for settlement]

3. Large sums of money [Settlement funds].

According to an article in the Chicago Tribune this scam is growing in popularity because it works so well and yields enticingly lucrative profits.

How the Scam Works

The scam is pretty simple. It begins by the hackers finding a vulnerability in the title company’s or real estate company’s email system. Once inside, the hackers track upcoming closings and prior to the legitimate request for funds being sent to the victim, the hacker’s send their own request for funds which conveniently funnels the funds into a bank account they control.

It’s only days or weeks later when the real request comes through that the victim realizes that they sent their money to a criminal, not the title or escrow company.

“It’s unbelievable how often this is happening,” said Jessica Edgerton, associate counsel for the National Association of Realtors in Chicago. And now real estate clients who’ve been scammed are fighting back, seeking recovery of funds through the courts and turning to an FBI weapon that has been little known to the general public: the “Financial Fraud Kill Chain.”

Funds Lost Forever?

Unfortunately, it seems as though the victim is frequently left holding the empty bag when these crimes occur. As reported in the Chicago Tribune article, the FBI can help with recovery if:

  • The wire transfer was $50,000 or more in value
  • The wire transfer was international
  • The bank issues a recall notice
  • The FBI is informed of the details within 72 hours.  .

Be Diligent, Follow-up and Use the IC3

If you are going to settlement you can help protect yourself by looking for inconsistencies in instruction and following up by phone or in person with the party requesting funds to make sure that the request is 100% legitimate. And, if you sense something has gone awry using the reporting tool we highlighted just a few posts ago at www.ic3.gov

Is Your Security too Much to Handle?

Konsultek can help! Our managed security services allow even the smallest organization to have world-class security without the need for massive capital and human resource investments. Give us a call today to learn why more and more organizations are turning to Konsultek for their managed security solutions.


read more