With tax season just ramping up for many companies, it’s a good time to be on the lookout for a particularly pernicious form of business email compromise (BEC): The W-2 scam.
As J.D. Supra recently noted, this is a type of phishing scam that usually begins with a fake email. The email appears to come from the CEO or CFO and is usually sent to someone in human resources or payroll, asking them to forward all of the company’s employees’ W-2 forms in PDF format.
Here’s a hypothetical example from the J.D. Supra post:
Subject: Treat as Urgent
Date: March 7, 2016 10:55 AM
I need copies of all employees’ W-2 wage and tax statements for 2015 to complete a business transaction. I need them in PDF format. You can send them as an attachment.
Usually the attacker has done enough research to figure out the names of the executives involved and to craft a reasonably realistic-looking email.
Unfortunately for the recipients of this message, it’s not actually a top exec sending it. The original email contains a Reply-To address that’s different from the one shown in the From field, and which is controlled by the scammer. Since the Reply-To address is hidden by most email clients, it’s easy for the recipient to respond without noticing that their reply is actually going to a different address. If that reply contains the requested attachment, then the hapless employee has just given the scammer a treasure trove of data, including home addresses, social security numbers, and income data for the company’s employees.
The W-2 scam is surprisingly common, and has caught many companies unawares. It’s similar in operation to the CEO-to-CFO scam, in which the scammer appears to be requesting a bank transfer, again by posing as a top executive of a company.
These attacks take advantage of the fact that, for domains without email authentication, there’s nothing stopping scammers from putting whatever they want in the From field of their emails. For that matter, there’s nothing to keep them from putting totally different addresses in From and Reply-To.
Email authentication puts a stop to that. With SPF, companies can create a list of designated IP addresses that are allowed to send email using their domains. With DKIM, companies can make sure that every email from their domain includes a cryptographic certificate attesting to its origin. And with DMARC, companies can ensure that any emails sent from their domains have matching From and Reply-To addresses. With these standards in place, W-2 scam emails using a company’s exact domain name will never reach their intended recipients.
Scammers can still launch attacks using similar-sounding domains (email@example.com instead of firstname.lastname@example.org, for instance), so employees still need to use vigilance. Train employees that requests for sensitive information and bank transfers always require verbal confirmation, either on the phone or in person. Train them to fulfill information requests by creating a new email, not by replying to solicitations. And train them to read emails closely for signs that they might not be legit.
However, with DMARC email authentication in place, the worst of these scam emails can be sent automatically right where they belong: Oblivion.
DMARC is highly effective, but it can be difficult to implement correctly. Read our article on the most common email authentication mistakes that companies make, and for more in-depth information, check out ValiMail’s resource page. How’s your company doing? Use our free domain checker to see if your domain is protected.