W2 Phishing Scam

One of the scariest things about phishing scams is how intelligent they can be! One very intelligent phishing scam that’s recently been making the rounds is known as the W-2 phishing scam – and it’s targeting CEOs.

Phishing scams are emails sent by scammers for the purpose of gathering sensitive information like usernames, passwords, or credit card numbers. An obvious example of this kind of scam is the classic “Nigerian Prince” email, where a rich person in another country needs your bank information so that he can transfer you some of his inheritance.

While phishing emails like that example are easy to filter out of your inbox, most phishing scams have become much more cleverer over time! Now, phishing emails target specific individuals through a process called “speer-phishing” where professional criminals learn about your habits and business.

Instead of sending you a generic, far-fetched letter, these criminals put together an email that looks like it’s from your bank or an airline or that asks you to confirm your password for a business account. Worst of all, many of these emails appear to be sent by trusted email addresses – they may even look like they have been sent from an internal email account!

The W-2 phishing scam is part of these specialized attacks, and has been scarily effective – so much so that the IRS has issued an official statement warning businesses about this scam.

The W-2 scam features an email that is sent to accounting and HR teams of businesses asking for a list of company employees. This email appears to have been sent by the company’s CEO, and so many individuals who are contacted respond readily with the list.

The emails may ask for individual 2015 W-2s and earnings summary of all W-2s of company staff, or an updated list of employees with full details (including name, social security number, date of birth, home address, and salary). The scammers then use this information to file fraudulent tax returns for refunds, creating a huge headache for everyone involved.

Some quick checks you can do to see whether or not an email is a phishing scam include:

  • Check the sender’s email address, not just their name – if you don’t know them personally/professionally and the email includes a hyperlink or file attachment, proceed with caution
  • Check the time and date that the email was sent at – if it was sent outside of regular business hours, it may be a scam
  • Check to see if you know any of the other recipients included in the email
  • Check the content – if the sender is asking you to click a link or open a file to avoid a negative consequence or to gain something that’s too good to be true, it’s worth getting a second opinion
  • Check hyperlinks by hovering over them, and see if they go to a website that looks reputable or if they go to an unrelated address

The number one rule when it comes to phishing is to never open a file or link that comes from a source you don’t trust. If you want to protect your business from phishing scams like the W-2 scam, talk to your IT professional for guidance. They will be able to explain more in-depth strategies for preventing scammers from accessing your information, and will be able to educate you and your staff on how to recognize and avoid scams.

CW Portal