February 2, 2017

Most regular readers here are familiar with CEO fraud — e-mail scams in which the attacker spoofs the boss and tricks an employee at the organization into wiring funds to the fraudster. Loyal readers also have heard an earful about W-2 phishing, in which crooks impersonate the boss and request a copy of all employee tax forms. According to a new “urgent alert” issued by the U.S. Internal Revenue Service, scammers are now combining both schemes and targeting a far broader range of organizations than ever before.

athookThe IRS said phishers are off to a much earlier start this year than in tax years past, trying to siphon W-2 data that can be used to file fraudulent refund requests on behalf of taxpayers. The agency warned that thieves also appear to be targeting a wider range of organizations in these W-2 phishing schemes, including school districts, healthcare organizations, chain restaurants, temporary staffing agencies, tribal organizations and nonprofits.

Perhaps because they are already impersonating the boss, the W-2 phishers feel like they’re leaving money on the table if they don’t also try to loot the victim organization’s treasury: According to the IRS, W-2 phishers very often now follow up with an “executive” email to the payroll or comptroller requesting that a wire transfer be made to a certain account.

“This is one of the most dangerous email phishing scams we’ve seen in a long time,” IRS Commissioner John Koskinen said. “Although not tax related, the wire transfer scam is being coupled with the W-2 scam email, and some companies have lost both employees’ W-2s and thousands of dollars.”

The Federal Bureau of Investigation (FBI) has been keeping a running tally of the financial devastation visited on companies via CEO fraud scams. In June 2016, the FBI estimated that crooks had stolen nearly $3.1 billion from more than 22,000 victims of these wire fraud schemes.

First surfacing in February 2016, the W-2 phishing scams also have netted thieves plenty of victims. At one point last year I was hearing from almost one new W-2 phishing victim each day. Some of the more prominent companies victimized by W-2 scams last year included Seagate Technology, Moneytree, Sprouts Farmer’s Market, and EWTN Global Catholic Network.

As noted earlier this week, scammers also are now selling 2016 employee W-2 forms that were phished or otherwise stolen from victim organizations, peddling individual W-2 tax records for between $4 and $20 apiece.

Tax refund fraud affects hundreds of thousands, if not millions, of U.S. citizens annually. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

The IRS says organizations receiving a W-2 scam email should forward it to phishing@irs.gov and place “W2 Scam” in the subject line. Organizations that receive the scams or fall victim to them should file a complaint with the Internet Crime Complaint Center (IC3,) operated by the FBI.

Employees whose Forms W-2 have been stolen should review the recommended actions by the Federal Trade Commission at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft. Employees should file a Form 14039 (PDF) Identity Theft Affidavit, if the employee’s own tax return rejects because of a duplicate Social Security number or if instructed to do so by the IRS.

W-2 forms are prized by ID thieves because they feature virtually all of the data needed to file a fraudulent tax refund request with the IRS in a victim’s name, including the employer name, employer ID, address, taxpayer address, Social Security number and information about 2016 wages and taxes withheld.

According to recent stats from the Federal Trade Commission, tax refund fraud was responsible for a nearly 50 percent increase in consumer identity theft complaints in 2015. The best way to avoid becoming a victim of tax refund fraud is to file your taxes before the fraudsters can. 

The FBI urges businesses to adopt two-step or two-factor authentication for email, where available, and to establish other communication channels — such as telephone calls — to verify significant banking transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media, as attackers perpetrating CEO fraud schemes often will try to discover information about when executives at the targeted organization will be traveling or otherwise out of the office.

25 thoughts on “IRS: Scam Blends CEO Fraud, W-2 Phishing

  1. -stephen

    ” In June 2016, the FBI estimated that crooks had stolen nearly $3.1 billion from more than 22,000 victims of these wire fraud schemes.”

    Over what time period?


  2. IRS iTUNE cards (real)

    You real should be warning internet users about the IRS scammers in India who are impersonating agents from that government agency.

    For example call 202-570-7458 or 202-930-2462

  3. Spaceghost

    Is it time for a USPS clearinghouse including Postmaster General for e-mail?

  4. Mike

    We started receiving more sophisticated CEO fraud attempts at our accounting department recently. What was most alarming about these recent attempts is that the scammers registered domain names very close to ours but with the .co TLD (TLD for Colombia). They were then sending us email coming from @ourdomain.co which looked very very close to @ourdomain.com and made it through Spam filters. Definitely a first for me!

    1. Beeker

      I’ve heard such tricks. My former company almost became a victim of such scam. Luckily,the AP head flagged that one simply they requested a wire to another bank that is different from what was on our file. She did the proper protocol by requesting a letter with company head and signed by an officer of the company. That foiled them.
      They tried it again within a day and it failed. Funny thing was the scammer was in South Korea impersonating a company in China.

      Lest you think they can just produce a letterhead, the company actually verify the information with the company in question.

  5. Cory Booth

    This is the saddest part of the story “…. The best way to avoid becoming a victim of tax refund fraud is to file your taxes before the fraudsters can…”

  6. Jeff

    After I was a victim of tax fraud a few years ago, I was given a PIN code when filing my taxes. Given the billions of dollars lost, having everyone provide a PIN is a simple ROI (return on investment). I also was blocked from entering anything online for three years. What are the folks at the IRS thinking?

    1. Gnecht

      Over the past several years, IRS leadership has been making enemies with people in Congress and getting their budget cut. (See Lois Lerner and 501c4 scandal.) Limited resources ever since.

  7. Dave Funk

    Jeff, What are the folks at the IRS thinking?
    Obviously they are thinking too much about who you are voting for. Everything else is window dressing.

  8. spagafus

    I can almost (almost) understand how someone could fall for the W-2 scam. But a comptroller or payroll processor who falls for the wire transfer scam should NOT be in that job.

  9. vb

    Following the money…
    I can understand how the money is moved in a wire transfer scam. Once it’s wired, it’s gone.

    But I don’t understand how the money moves in an IRS scam. The IRS only pays by paper check or ACH direct deposit. I don’t think the IRS is going to send a paper refund check of a tax payer in Iowa to someone Russia. Would the IRS send a refund by ACH to a bank overseas? That would make reversal difficult, but not impossible. Or are the scammers using money mules that have US bank accounts? And they get the money from the mule before it gets ACH reversed?

    1. Thomas

      ACH deposits can be (and are) made to “prepaid” credit cards. There is a ridiculous number of people in the USA who don’t have a bank account and instead use prepaid credit cards or just deal in cash and use check cashing stores. It is hard for me to understand, but quite common. Credit unions will provide banking services to just about anyone with some requiring $0 balance to keep the account open for at least some time. But there are many people who use other means.

      1. KD

        Some poor people who don’t use banks because banks charge overdraft fees. They don’t have enough to pay their bills, go over drawn, get over draft fees that put them further into the poor house, get mad at the bank, and close their account.

        Banks charge over draft fees a lot more frequently than they used to also. So going negative goes further negative fast.

      2. Beeker

        Actually they require a small amount of money in the account to keep it active. Usually if the account has no activity within a time frame, they tend to close it.

        Secondly, anyone opening a checking account must undergo a chex background to make sure the potential customer are not flagged.
        One time I was opening an account with a local bank, the first thing the CSR does is using the chex for any flagged items. I commented that stating that I used to work in a bank many years ago and asked if she is checking if I am flagged. She said “yes.”

        1. Sam

          Private sector banking is failing the entire poor people market segment and putting them at the mercy of the extortionist payday lenders.

          If the private sector can’t take care of this market segment then the USPS needs to re-implement post office banking. But good luck making that happen during this particular administration.

  10. Hollywood Bob

    “The FBI urges businesses to adopt two-step or two-factor authentication for email, where available, and to establish other communication channels — such as telephone calls — to verify significant banking transactions.”

    Good luck with that. I talked to Wells Fargo Bank officials about it, and they couldn’t have cared less. In particular, I asked if we could be notified of bank transfers over a certain amount. They indicated that it wasn’t their problem.

    FYI Wells Fargo doesn’t even have two-factor authentication for their website.

    1. Sam

      With Wells Fargo recently been caught scamming their own customers anyone who remains a client of theirs is not too smart.

    2. JasonR

      Vote with your feet. Investigate your local Credit Unions. Mine has two-factor for setting up access to a new phone with their smartphone app or a new PC for website access. When you find a CU that supports this, move on over, and then be very clear with Wells that you left because they wouldn’t support security measures meant to protect you, but that your local CU would.

      FYI, Wells does support two-factor, for (large?) businesses. My employer is setup this way.

  11. John Clark

    I am in a job speciality and am always having to look for new work. A year ago I received an email from a staffing company recruiter targeting me with my job title and area of residence. He provided a link to his company (same domain as his email). It seemed a little thin so I did some digging and found that he created more bought 20 domains over the past year. Each web site looked identical except for the name of the company and HR recruiter (all other staff members were the same).

    With further digging using 800notes.com I found that a lot of people were successfully scammed out of the DOB and SSN. He said he needed the info in order to submit the target’s to his corporate clients. Combined with other information the scammer found on his targets he has done a lot of damage. Including tax return theft.

    I built a Blogger site with all the information I gathered and have been trying to share it so that individuals are not roped into his particular scam. Over the past year, many of the sites have expired since he did not renew.

    He has used multiple hosting companies that I have found and a couple of them have been responsive and taken down his sites. Unfortunately, he has found that DreamHost in Bria, California ignores warning and continues to host his scams. I am really disgusted by the DreamHost staff since they are Americans and their company lists this specific violation of their terms of service. Here is one that is active and sending out emails:

    This past week I have found a few fake job postings on a service called CATS. I have warned their service department (two individuals) and they quickly took down what I found.

    Rather than just ignore these criminals, please help me and Krebs and be active in the fight. Set up your own Blogger site and list the criminal enterprise so when someone is doing a search on the ‘company’ name your site comes up.

    1. JasonR

      Good for you. I have a number of less-employed extended family that have fallen for this sort of thing and then been victims of identity theft.

  12. dropb

    I was working with drop jobs before.
    I did serve prison for 4months.
    And i got reported to my country.
    I stole 13000$ was proofed as damage.
    It was bank transfers work
    I worked with personal accounts but
    Some guys worked with business accounts
    So they made about 100+ or more.
    One guy opened business now and dont do any
    Criminal activity. But i guess we all have to price for braking law.
    It was times like this.I did time in prison it was not easy food was horrible cell was small and all that things. Many guys who worked with banks botnets transfers and similar are now just family fathers they dont do nothing criminal anymore. I guess they learned from past mistakes becouse you can really do the real time in prison.
    That was bank transfer jobs and drops and like this i was also member on omerta forum
    What can i say ot was times like this right now i dont think
    Any bank transfer jobs can be good.
    Now its all just history for me only memories are left.

  13. Drone

    Let’s put things in perspective: This W2-Fraud stuff is NOTHING compared with the dangers we face when our own IRS abuses us depending on who or what we believe in.

  14. HDVisitor

    A friend’s coworker nearly fell for a phone scam involving supposed back taxes and threats of arrest warrants. It’s a scam similar to those where the victim receives a voice message about an alleged crime or law suit brought against them in some other state for which they must pay legal fees or an arrest warrant will be “issued”.

    This time the scam was modified for tax season. The caller claimed to be from the state tax commission and had enough financial info on the victim (SSN, investment account balances, wife’s maiden name, etc.) to convince the victim they had not paid enough taxes in 2014 and somehow missed all the letters sent from the commission since then. Now he was in danger of arrest unless he wired funds immediately! Luckily, my friend caught him just in time before he headed out to make the wire transfer.

  15. Doug Levin

    I’ve been tracking the impact of this scam on K-12 school districts and was astounded to find how effective it had been. Via news reports, I’ve identified over 20 school districts that have compromised their employee’s W-2 information and growing. My understanding is that there are already more reports of successful phishing attacks on schools this year than in all of last year (and its only February). I fear that schools are even less well equipped to deal with this threat than other organizations. For details on what I’ve assembled see: https://www.edtechstrategies.com/blog/irs-phishing/

Comments are closed.