Employees of the supermarket chain Sprouts were the latest victims of what has become a disturbing trend in recent months: targeted attacks on companies aimed at stealing W2 forms.
Sprouts Farmers Markets said last week that an employee at the company’s Arizona headquarters had mistakenly sent the 2015 W-2 statements for all the company’s employees – 21,000 spread across 220 stores – in an e-mail to someone posing as a company executive. The correspondent in question was not a company executive, and the company soon realized the mistake and contacted law enforcement and the IRS.
And Sprouts isn’t alone. Moneytree of Seattle recently informed employees that payroll information was accidentally revealed to an “external source” as a result of a phishing scam.
W-2 forms are a strange kind of target, unless you consider the time of year and the mountain of fraudulent tax filings at both the state and federal level. W-2 forms, of course, are a critical supporting document that scammers can use to provide wage and tax ID information needed file a fraudulent claim and receive a tax refund.
And lo-and-behold: the Internal Revenue Service and state revenue departments are saying that incidents of tax fraud are skyrocketing. The IRS told the blog KrebsonSecurity that it stopped 4.8 million suspicious returns in 2015 and stopped 1.4 million confirmed attempts at identity theft, totaling $8.7 billion and $3.1 billion in refunds of other types of fraud.
All that fraud is gumming up the tax return pipeline, slowing tax return review from 7 days to 21 days, according to data from the firm Iovation.
These are difficult attacks to stop. As this Symantec blog notes, they’re an offshoot of a broad category of phishing attacks known as business email compromise (or BEC) scams that started out as a way to trick high ranking corporate officers into OK'ing wire transfers to accounts controlled by fraudsters. The W2 scam flips that on its head: targeting the employees of a firm, not the firm itself.
The fix for W2 phishing scams? Obviously, anti-spam and anti-phishing technologies may help, though not always. A better approach is for companies to train critical employees in payroll to beware of such ruses and to think (and check) twice before responding to any request to email sensitive employee or corporate data – especially in bulk.
Beyond that, companies should think about instituting controls to at least flag efforts to do bulk export of certain types of sensitive or regulated data from payroll and other critical systems. (“Do you really want to export W2 information for every employee?”) Putting additional barriers, such as two factor authentication or manager approval workflow around sensitive acts like money transfers and export of employee payroll data can also help.
The other needed fix, of course, lies with the IRS and state revenue departments. Processes for protecting taxpayers and taxpayer data have been woefully inadequate, creating an easy opportunity for fraudsters to exploit. While the IRS appears to be taking the problem seriously, the continued high levels of fraud against taxpayers suggests that criminals still are finding a way to sidestep anti fraud protections built into the tax filing system.