CHEYENNE – The Internal Revenue Service is warning businesses and organizations alike to beware a W-2 phishing scam that seems to be expanding its target list this year, and has already claimed at least one victim in Wyoming.
While identity theft attempts take a wide variety of forms, the relatively recent notion of the W-2 phishing scam is particularly bad because of the sheer number of people it’s able to compromise in one fell swoop.
Here’s how it works: Cybercriminals will use various techniques to disguise an email to make it appear as if it is from an organization executive. That email is then sent to employees in the organization’s payroll or human resources departments, requesting a list of all employees and their Forms W-2.
This phishing method impacted more than 145 organizations in the United States in 2016, compromising the tax information and Social Security numbers of tens of thousands of people. And this year, the IRS reports that the phishing scam is diversifying its targets. Where scammers had previously concentrated on corporations, they are now targeting nonprofits, school districts and tribal organizations as well.
“It’s pretty sinister, and it’s expanding to all kinds of different organizations,” said Raphael Tulino, and IRS spokesman based in San Diego. “This particular scam isn’t about impersonating the IRS, but it is bad guys getting their information from outside the tax system instead.”
Geographic location doesn’t seem to be a limiting factor for the scammers, as Campbell County Health of Gillette can attest. The hospital was the victim of a W-2 phishing scam on Jan. 26, when someone posing as a hospital executive managed to convince an employee to release W-2s for more than 1,400 employees.
Dalton Huber, the chief financial officer for Campbell County Health, said the aftermath of the attack has provided a learning experience for the hospital’s staff – one he hopes other organizations won’t have to learn the hard way.
“I’m used to getting the phishing emails as CFO, because the really dumb ones will send them under the old CEO’s name,” Huber said Friday. “But if you’re not used to getting stuff like that, it’s easy to get sucked in.”
Huber said Campbell County Health has been working with employees to provide them with credit-monitoring protection, as well as to help them file affidavits with the IRS stating that their tax information has been compromised. The hospital has also been working on establishing new procedures so that employees have a better idea of how to distinguish a phishing email from the genuine article.
“What we’ve done is every email that comes from the outside now has a header on it that says it came from outside the CCH system,” he said.
The hospital has also encouraged employees to speak up and ask questions when they get a request for confidential information, regardless of who it appears to be from.
For larger organizations, Huber said it may also make sense to consider hiring a company that specializes in anti-phishing employee training and simulations. Though he wasn’t familiar with such companies until after CCH’s breach, Huber said such companies can be invaluable in getting an idea of how many organization employees are susceptible to a phishing email.
“We’ve talked to some banks and another hospital that hired a company to send out these types of things to their employees to see who’s going to be sucked into it,” Huber said.
The IRS asks that any organizations receiving W-2 scam emails forward them to firstname.lastname@example.org and place “W2 Scam” in the subject line. Those organizations that fall victim to them should file a complaint with the Internet Crime Complaint Center operated by the Federal Bureau of Investigation.
“Besides doing a local police report, there’s a Form 14039, an identity theft affidavit,” Tulino said. “That tells the IRS we should put a mark next to your account, and that will help us help that taxpayer.”
To go directly to the Wyoming Tribune Eagle’s website, click here.