US tax authorities warn of increasingly effective phishing spam-scam.
The USA's Internal Revenue Service has, for some time, been warning corporations of a spam-scam targeting companies. But now, it says, it has evidence that it is spreading into "school districts, tribal organizations and non-profits." and other sectors. But that's not all: the criminals have found a way of hitting the same targets twice.
The fraud relates to an IRS form called W-2. The IRS is very worried.
“This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme,’’ said IRS Commissioner John Koskinen.
The IRS says "When employers report W-2 thefts immediately to the IRS, the agency can take steps to help protect employees from tax-related identity theft. The IRS, state tax agencies and the tax industry, working together as the Security Summit, have enacted numerous safeguards in 2016 and 2017 to identify fraudulent returns filed through scams like this. As the Summit partners make progress, cybercriminals need more data to mimic real tax returns."
The IRS issued the following explanation:
Here’s how the scam works: Cybercriminals use various spoofing techniques to disguise an email to make it appear as if it is from an organisation executive. The email is sent to an employee in the payroll or human resources departments, requesting a list of all employees and their Forms W-2. This scam is sometimes referred to as business email compromise (BEC) or business email spoofing (BES).
So, in English: criminals obtain e-mail addresses of employees by any means possible. Then, faking the "from" address so that it looks like an e-mail comes from one of the company's executives, they send e-mails to someone working in e.g. the payroll or personnel department of the company asking for confidential information. That information contains personal and financial details of employees. When that information is obtained, the criminals use it to fraudulently represent themselves as those employees and undertake financial transactions in their names.
The timing of the fraud is important: it takes place during what Americans term "the tax season" when everyone is rushing to complete and file tax returns. It was first identified last year, but this year it is circulating earlier in the "tax season."
This year it is compounded by a follow-up e-mail instructing the payroll or personnel department to make a bank transfer to an account nominated by the criminals. It is said that some companies have lost "thousands of dollars" in this way.
The IRS has issued the following guidance:
Organizations receiving a W-2 scam email should forward it to email@example.com and place “W2 Scam” in the subject line. Organisations that receive the scams or fall victim to them should file a complaint with the Internet Crime Complaint Center (sic)[ https://www.ic3.gov/default.aspx ] (IC3,) operated by the Federal Bureau of Investigation.
Employees whose Forms W-2 have been stolen should review the recommended actions by the Federal Trade Commission at www.identitytheft.gov [ http://www.identitytheft.gov ] or the IRS at www.irs.gov/identitytheft [ http://www.irs.gov/identitytheft ]. Employees should file a Form 14039, Identity Theft Affidavit, if the employee’s own tax return gets rejected because of a duplicate Social Security number or if instructed to do so by the IRS.