Scam of the Week Blends CEO Fraud and W-2 Phishing

A new “urgent alert” has been issued by the U.S. Internal Revenue Service, that internet criminals have combined CEO Fraud and W-2 phishing to target a much wider range of organizations than ever before

CEO Fraud — e-mail attacks spoofing the boss and social engineering a high-risk employee into wiring funds to a bank account controlled by the bad guys.

W-2 phishing – scammers impersonate the boss and ask for a PDF with all employee tax forms.

The IRS warned that phishers started this scam much earlier this year, attempting to extract W-2 data which can be used to file fraudulent tax refunds, duping the actual taxpayers. The agency alerted that the scammers also are targeting a much wider range of organizations in these W-2 phishing schemes, including school districts, healthcare organizations, chain restaurants, temporary staffing agencies, tribal organizations and nonprofits. People who are not required to file a return can still be victims of refund fraud, and even people who are not actually due a refund from the IRS.

Double Barrel Attack

W-2 phishers cooked up a new, more profitable scheme where after the successful W-2 phish they also attempt a cyberheist, looting the victim organization’s bank account. The IRS said that W-2 phishers now very often follow up with an “executive” email to the payroll or comptroller requesting that a wire transfer be made to a bank account they control.

“This is one of the most dangerous email phishing scams we’ve seen in a long time,” IRS Commissioner John Koskinen said. “Although not tax related, the wire transfer scam is being coupled with the W-2 scam email, and some companies have lost both employees’ W-2s and thousands of dollars.” W-2 phishing scams started in Feb last year, and there have been a lot of victims.

As Brian Krebs noted earlier this week, scammers also are now selling 2016 employee W-2 forms that were phished or otherwise stolen from victim organizations, peddling individual W-2 tax records for between $4 and $20 apiece.

Tax refund fraud affects hundreds of thousands, if not millions, of U.S. citizens annually. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

Remember that when you receive sudden requests like this, they may be spoofed emails and that you should double check by picking up the phone and verify that this is a legit request coming from that executive.

This tax season, stay alert for scams like this, and Think Before You Click!

The IRS says organizations receiving a W-2 scam email should forward it to [email protected] and place “W2 Scam” in the subject line. Organizations that receive the scams or fall victim to them should file a complaint with the Internet Crime Complaint Center (IC3,) operated by the FBI.

Employees whose Forms W-2 have been stolen should review the recommended actions by the Federal Trade Commission at or the IRS at Employees should file a Form 14039 (PDF) Identity Theft Affidavit, if the employee’s own tax return rejects because of a duplicate Social Security number or if instructed to do so by the IRS.

According to recent stats from the Federal Trade Commission, tax refund fraud was responsible for a nearly 50 percent increase in consumer identity theft complaints in 2015. The best way to avoid becoming a victim of tax refund fraud is to file your taxes before the fraudsters can.