Whalers Con Employee W-2s Out of Environmental Resource Management

The phishers and whalers are out in force for the US tax season, sinking their email lures into enterprise pools in a quest for employee W-2s. The latest victim is Environmental Resources Management (ERM), the consulting giant.

W-2 tax forms are highly sought after, considering that they contain employee Social Security numbers, salaries and other personal data—basically a goldmine for identity thieves and those bent on filing for fraudulent tax returns with the Internal Revenue Service (IRS) and the states.

”Fraudsters who perpetrate tax refund fraud prize W-2 information because it contains virtually all of the data one would need to fraudulently file someone’s taxes and request a large refund in their name, explained independent researcher Brian Krebs, who publicized the ERM case. “Indeed, scam artists involved in refund fraud stole W-2 information on more than 330,000 people last year directly from the Web site of the Internal Revenue Service (IRS). Scammers last year also massively phished online payroll management account credentials used by corporate HR professionals.”

In the ERM case, criminals took a whaling approach— the fraudster emailed a member of the finance team pretending to be a senior management official, spoofing that official’s email address in order to look more legit. Employees that were part of the company’s former Northern division were affected. No word on how many people the situation affects.

A similar tactic was used recently to trick an employee at data storage giant Seagate Technology to email thousands of 2015 W-2 tax documents for current and past employees to an address outside of the company. The employee believed in the authenticity of an emailed letter purporting to be from the organization’s CEO requesting the forms for all employees.

That situation was uncovered by Krebs as well. “On March 1, Seagate Technology learned that the 2015 W-2 tax form information for current and former U.S.-based employees was sent to an unauthorized third party in response to the phishing email scam,” Seagate spokesman Eric DeRitis told Krebs. “The information was sent by an employee who believed the phishing email was a legitimate internal company request.”

The news comes as the IRS suspends a service offered via its website that allowed taxpayers to retrieve so-called IP Protection PINs (IP PINs), codes that the IRS has mailed to some 2.7 million taxpayers to help prevent those individuals from becoming victims of tax refund fraud. The problem is that IRS allows IP PIN recipients to retrieve their PIN via the agency’s Web site, after supplying the answers to four easy-to-guess questions from consumer credit bureau Equifax.

“These so-called knowledge-based authentication (KBA) or “out-of-wallet” questions focus on things such as previous address, loan amounts and dates and can be successfully enumerated with random guessing. In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook,” explained Krebs.

Photo © M. Luevanos

What’s Hot on Infosecurity Magazine?