It used to be said that the only certain things in life were death and taxes.
But this adage is in desperate need of an update. In the age of technology, the only certain things in life are death, taxes, and phishing scams.
And scams targeting taxpayers and tax preparers are just the tip of the iceberg. This tax season, schools, nonprofits, NGOs, state/local governments, and aid organizations have also found themselves the targets of wide ranging tax and W-2 phishing scams.
How To Scam the IRS
For several years now, phishing scams targeting the IRS have plagued the agency and taxpayers alike, with 2016 seeing attacks on the IRS, taxpayers, and tax professionals hit records levels.
Typically, phishing campaigns posing as the IRS or tax preparers have been used to lure taxpayers into divulging their login and/or personal information under the pretense of avoiding delays in processing returns.
By contrast, when targeting tax preparers, scammers sought to phish login credentials for the IRS’ “e-Services portal” which gave scammers unfettered access to additional victims.
An example IRS phishing page.
But these aren’t the only methods scammers have used to scam the IRS.
Initially seen in early 2016, “W-2 phishing” is a lucrative method for siphoning large quantities of verified data, which can later be used in additional scams. How? Phishers simply send emails to organizations’ accounting, payroll, and HR departments requesting their employees’ W-2 information.
Scammers typically follow-up W-2 scams with business email compromise (BEC) scams, in an attempt to get even more bang from someone else’s buck. The information taken in these campaigns is often put up for sale, and can be utilized in tax fraud schemes and identity theft.
An example W-2 phishing email.
And it’s not just phishing that you should be worrying about.
Individuals have also reported receiving malicious phone calls (known as “vishing”) claiming to be from the IRS with regard to delinquent taxes. These callers frequently use threatening language, and lead victims to believe they could receive wage garnishments, liens on personal properties, and even incarceration or deportation.
Unsurprisingly, victims routinely handed over personal information such as social security numbers, dates of birth, and even banking information which callers claimed would be used to settle overdue tax debt or setup payment arrangements.
Widening the Lens
But, naturally, criminals are never satisfied. If previous years could be thought of as a targeted hunt, this tax season was more akin to open season.
With not only content intending to defraud the corporate world, scammers broadened their sights to include schools, nonprofits, hospitals, restaurants… the list goes on.
As far as we can tell, there doesn't appear to be a defined target or sector. Any sector possessing large amounts of personal employee or customer data was at risk.
Of course, increased activity during tax season is nothing new. But this year, the IRS warned of an earlier than expected start to W-2 scams which not only targeted the same companies that where hit last year, but also saw these same companies targeted with follow-up BEC scams.
In essence, these changes can be seen as scammers “upping their game.” While targeting individuals taxpayers did work well, scammers have come to realize that large-scale data theft is far more lucrative.
As a result, after 2016 saw record numbers of phishing sites targeting taxpayers, preparers, and the IRS, 2017 saw a marked decrease in phishing sites. While January 2016 experienced more IRS phishing attacks than the whole of 2015, with more than 320 recorded, January 2017, had a meager 58.
This downward trend continued throughout the first quarter of 2017, and it appears that the shift in tactics towards large-scale data theft is largely to blame for this phenomenon.
According to the IRS’ Tamara Powell, acting director of the IRS Return Integrity Compliance Services, reports of W-2 scams rose significantly in 2017. Nearly 900 organizations reported to the IRS that they received a W-2 phishing email during the first four months of 2017, compared to just 100 in 2016.
Of the 2017 reports nearly 200 companies lost data, whereas in 2016 the number was closer to 50.
Number of phishing sites.
Staying Ahead of Scammers
As always, email remains the primary attack vector used to conduct phishing campaigns, W-2 & BEC scams, and malware campaigns. And, as always, the best way to avoid these scams is to educate your users.
Routinely educating users on the types of scams they are most likely to see is essential to the fight against phishing. Not only can it protect individuals from making terrible mistakes, it will also dramatically improve an organization’s overall threat profile.
In order to mitigate the threats we’ve discussed in this post, here are some important things to watch out for:
- Emails directing users to update information, or reveal login/pin details
- Emails containing links (malicious URLs/redirects) to look-alike domains
- Always double check the spelling & grammatical accuracy of URLs
- Hover over links with your mouse to ensure domains match before clicking
- Do not click on ads for tax services, use the links in the actual search results provided by your browser
- Phone calls claiming to be the IRS, and demanding immediate repayment
- The IRS will not call you and demand immediate repayment (prepaid debit card, gift card, wire transfer) under any circumstances. They will not ask for payment info over the phone, or threaten immediate legal action.
In the corporate world, implementing administrative controls for all money transfers or requests for confidential information (e.g., verbal confirmation) can go a long way. But ultimately, there is no substitute for heading off threats before they gain a foothold.
If your users are routinely trained and tested on their ability to identify and report malicious communications, the chances of your organization being impacted by the scams we’ve described will fall dramatically. Not only that, if an incident does occur, your incident response resources will be in a far better position to minimize the damage caused.
For more information on how to develop and implement a powerful security awareness training program, check out this post.