January 17, 2017
With a new calendar year comes a new tax year. Based upon the successful year fraudsters had in 2016, there is no reason to think that 2017 will see a decrease in tax fraud activity and finance-related scams. According to the IRS, there was an eye-popping 400% surge in phishing emails and malware incidents during the 2015 tax season. Phishing is any attempt to acquire sensitive information or steal money from you or your company. Most phishing is email-based and it is extremely effective ̶ 95% of all infections in an organization start with a phishing email.
An especially damaging form of phishing email called CEO Fraud or Business Email Compromise (BEC) targets HR and finance departments. In a BEC phishing campaign, attackers impersonate high level executives, usually the CEO, and send urgent sounding emails to individuals primarily in the HR and finance departments, since they handle payments and/or have access to employee data. Such attacks result in employees being tricked into transferring large sums of money or sending sensitive employee data to an attacker-controlled account.
Wire transfer fraud has been a problem for years, but in 2016 a new form of BEC fraud began that focused on stealing employee W-2 data, not money. Below is an example of a W-2 fraud email. This simple email has been extremely effective in stealing W-2 information from companies across all industries:
Hi [Internal Finance Person],
I need you to send me the list of W-2 copy of all employees’ wage and tax statement for 2016. Kindly prepare in PDF file type and email me the file.
BEC fraud owes its success to “spoofed” email addresses - attackers have ways to make emails look like they are coming from a person inside an organization. It can be difficult to tell without looking at the technical components of the email address whether the originating address is valid. One should be suspicious of any email that is requesting one to send sensitive employee data or wire transfer funds.
Outside of BEC fraud, there are indicators that can help determine if an email is a phishing email. Some of these include:
- Poor grammar in the body of the email.
- Incorrect spelling.
- The ”from” address is clearly not the sender's email address.
- If the email contains a link, the destination of the link (the URL) does not match the link name.
- Alert employees about the phishing email indicators.
- Make clear they will NEVER receive an email from anyone within your organization, including senior management, requesting that they send employee W-2 information or wire transfer large sums of money.
- Provide guidance on whom to notify immediately if an employee receives such an email and instruct them to then delete it.
- Instruct employees to NEVER click on a link or a document attachment within any suspicious email without the approval of your information security manager.