Phishing scams have increased significantly in the past few weeks as cybercriminals step up their campaigns during tax season, with many using a technique referred to as business email compromise to fool victims into sending employee W-2 form data to the attackers.

Beware of Business Email Compromise Campaigns During Tax Season

Some organizations have thwarted attacks, but many have fallen for the phishing scams and have emailed highly sensitive employee data to the criminals behind the campaigns. Business email compromise is used in spear phishing campaigns: Highly targeted and highly convincing attacks on small numbers of employees within an organization.

Most phishing campaigns are random. Emails are sent out by the million in the hope that some individuals will fall for the scams. The email campaigns are not particularly convincing and rely on greed or naiveté in many cases to attract a click or the disclosure of sensitive data.

Business email compromise campaigns on the other hand are much more convincing. They tend to involve very carefully constructed emails, good grammar, do not contain the spelling mistakes common in most spam emails, and are hand written and sent to a very select number of individuals within an organization or to just one person. They are often personal, referring to the target by their first name. They also use business email addresses for the attack. An email sent from within the company, or seemly from within the company, is much more likely to be trusted.

Corporate images are often used, email signatures copied, and the email address of the sender is spoofed. Victims are researched, as are the companies. The key to the success of these campaigns is their realism. The aim is to get an employee to take a specific action without thinking that the request is anything other than genuine. If the scam is successful, the victim may never know that they have been duped.

The email requests, at first glance at least, appear to be genuine. They are sent from a senior executive or the CEO of the company. When they are sent from an authority figure from within the company the request is less likely to be questioned.

In the past few weeks a number of companies have received business email compromise phishing emails and have sent attackers a list of employee W-2 form data, including Social Security numbers, dates of birth, names, and details of employee earnings for the year. These data can be used by the criminals to file false tax returns in the names of company employees.

W-2 Phishing Scams Target Californian Companies

Magnolia Health Corporation recently announced one of its employees had fallen for a business email compromise scam and had sent a full list of employees to the attacker. The mistake was discovered, although not for a week. The attack took place on February 3, 2016.

Also on February 3, Californian company BrightView also received a phishing email requesting employee data and sent information, as requested, to the email scammers. BrightView discovered the mistake the following day.

Polycom, a content collaboration and communication technology also based in California, was attacked in the same manner on February 5, and also fell for the business email compromise scam. California-based Snapchat similarly was fooled by the business email compromise scam and emailed the data of 700 employees to the attackers. Mercy Housing Inc., and Central Concrete Supply Co., also suffered similar attacks recently.

The attacks have not been limited to California. Alaskan Telecommunications company GCI also fell victim to a similar attack, which resulted in the data of 2,500 employees being sent to a scammer.

BEC scams are convincing and employees need to be particularly vigilant especially at this time of year. To reduce the risk of a BEC attack being successful, it is important that staff receive training on how to identify a business email compromise scam. Policies should also be introduced to make it harder for employees to fall for the scams, such as requiring all data requests to be verified by two employees, one of whom should be within the Information Security team.

Until tax season draws to a close we are likely to see even more companies fall for these scams.