Understanding And Preparing For The Upcoming W2 Fraud Attacks

Having survived the challenges in 2017 I’m sure we’re all looking forward to a bit of a rest, however that is not in our future. It does help to be prepared for what’s coming and that’s why I want to talk a minute about W2 fraud. As we enter the first quarter of 2018, you need to be aware of this, and know how to combat it.


What is W2 Fraud?

W2 fraud is related to CEO fraud, a.k.a Business Email Compromise (BEC). While CEO fraud happens throughout the year for reasons that will become obvious, W2 Fraud happens primarily in the first quarter here in the US. To put it bluntly, W2 fraud is where somebody pretends to be someone in leadership in an organization and targets someone, usually in HR or payroll and tricks them into sending them the employees tax statements.  This type of attack is almost exclusively done through email phishing, however we can expect to see some cases of the bad guys leveraging a 2nd type of attack, such as SMS phishing (smishing) to improve their odds of success.


How does it work?

In its most simple form, the attackers will craft an email message with a spoofed (faked) “from” address. This message will request that the victim of the attack send them the W2 tax forms of all employees, usually in a .PDF document.  This message will look legitimate on the surface and may even include the signature block from the sender or other similar traits to make it look legitimate.  There will often be a sense of urgency in the message to get the victim to send the data quickly without giving them a chance to check on the legitimacy.  In addition, more often than not, an attacker is ready to reply almost immediately to any questions posed in an email reply to the initial request.

Once the attackers have the tax documents, they almost immediately file tax returns on behalf of the employees.  As you can imagine, these tax returns always result in a refund. Then, when the employee goes to file their taxes they find out that this has already been done for them. This causes a lot of additional work, delays in receiving their actual refunds and the involvement of law-enforcement and the Internal Revenue Service (IRS).  To add insult to injury, the attackers then often sell this information on the dark web. Because it includes sensitive information such as Social Security numbers and salary information, this data is great ammo for identity theft.



Below is an example of a real attack that targeted us here at KnowBe4 and a breakdown of ways they try to make this look legitimate. This is a very typical kind of W2 fraud phishing email.

As you can see the example above, the focus is on making this look legitimate and getting the person to act very quickly. Here are the different elements broken down.

  1. A sense of urgency in the subject. It’s coming from the boss, and they want you to read it as quickly as possible. This sets the tone for the attack and puts the victim on the defensive.
  2. Photo of the boss. This was no doubt taken from any of a number of sources on the internet, including LinkedIn, press releases, published articles, etc. and adds to the legitimacy of the email.
  3. Email address looks like the real thing. This can be spoofed with a different “reply-to” address or may just be designed to look close if you are not paying attention. For example, this could have easily been [email protected] or something similar. The .xyz in the email address could be easily missed by a victim not trained to look for it.
  4. This is also designed to add legitimacy to the message. Many people are not aware that it is easy to discover information like this on the internet. Business tax filings, LinkedIn, press releases, “About Us” webpages, etc. all provide information to allow the attackers to target the right people in the organization.
  5. Request for .PDF format. This is the preferred format the attackers request.
  6. More urgency. This is once again designed to get the victim to respond quickly, reducing the likeliness they will ask questions or think about the request too much. When the CEO, President or other person in the top leadership makes a request, this often goes unquestioned.


Another Example

This one is a little less common, however very simple and effective. Essentially, it’s a lead-in to the above example and sets the tone a little stronger. In this case it’s made to appear that the victim missed an earlier email from senior leadership. Once the victim replies to this message saying they did not get an earlier email, the follow up emails would be very similar to the one above however will have a more aggressive tone as they have now made the victim assume they have messed up and missed the initial email request. This puts a lot of pressure on the victim. In a larger organization where employees don’t typically interact with senior leadership, this can put the victim in a very stressful situation and make them unwilling to question the request.  Again, this is an actual email we received here at KnowBe4.


Hybrid Attacks

I mentioned earlier that we can expect to see times where the attackers leverage other types of attacks. Imagine getting one of the above emails followed by a text message from the boss requesting the same thing. This would be a hybrid attack leveraging something called “smishing” (SMS phishing).  We’ve all seen or heard of text-messaging based attacks, usually in the form of a text message from a financial institution requesting some sort of account validation or even the IRS threatening to arrest the victim. These attacks are not difficult to perform but can be very effective when combined with an email message like that above.


Defending Against These Attacks

When defending against this type of attack, it’s important to have good email filters in place to hopefully block them before they ever reach the victims. Unfortunately, even the best technology these days struggles to detect and stop these very targeted attacks. They do much better at stopping blanket phishing emails than this sort of thing. Antivirus or endpoint protection really does nothing against this type of attack as there is no malware involved. That leaves you with non-technical solutions in order to make the best impact against these attacks.

The first thing to do is to make sure that everyone, especially the senior leadership and folks that deal with this sort of information, are aware of this type of attack and how to spot it. This is where a good security awareness training program really shines. Because this type of attack is so similar to CEO fraud (a.k.a Business Email Compromise or BEC), that training does double duty when it comes to protecting the organization. Potential victims and senior leadership having a good knowledge of this type of attack and how effective it is will go a long way toward getting the second part of your defense established.

That second part of the defense is to have a strong policy around handling large amounts of money or sensitive information.  I like to call this the “pick up the phone first” policy and it amounts to exactly that. The policy should state that prior to sending any large amounts of sensitive information or transferring large amounts of funds with short notice, verbal (not text messaging or email) contact will be made with the requester to validate the request.  Furthermore, the recipient of the email making the request should not use any phone numbers included in the requesting email to make the phone contact. They should instead use something like an internally published phone list or a known phone number to make the contact. This keeps the attacker from planting a phone number in the email, making the victim call them for confirmation.

This simple “pick up the phone first” policy and the associated training and awareness behind it, can make a huge difference when it comes to protecting your organization against this sort of attack.


More Info

If you would like to get more information about training your staff to be able to identify this attack vector, check us out at https://www.knowbe4.com. We have a lot of free resources and tools help you stay protected as well as an industry leading security awareness training and simulated phishing platform that you can use to educate your employees on how to spot the latest cyber threats and stay safe online.

Erich Kron is the Security Awareness Advocate at KnowBe4, and has over 20 years’ experience in the medical, aerospace manufacturing and defense fields. He is the former security manager for the US Army 2nd Regional Cyber Center-Western Hemisphere.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.