New Research: W-2 Phishing Scams Increase During Tax Season

Stress and worry are emotions that are often linked with the period between the beginning of a new year and mid-April, the federal tax filing deadline. Modern technology has brought with it techniques and applications that reduce this burden by making it easier for consumers to prepare a tax return. Unfortunately the age of e-filing has come with increased risk of tax fraud due to cybercrime. According to IRS statistics, investigations, prosecutions, and convictions for tax crimes, including those involving identity theft, have been on the decline over the last three years.

However, last year the agency announced a “surge in phishing email” schemes designed to harvest employee W-2 information used to file fraudulent returns. Around the same time, security researcher Brian Krebs wrote a blog post about commercial operations that monetize the data appropriated by successful phishing schemes. Both reports note that employees working in payroll and human resources are commonly targeted in these types of attacks.

With tax season upon us, BitSight researchers investigated the frequency of reported phishing incidents by sourcing data from state Freedom of Information Act requests and cybersecurity news. It is important to note that these are only the phishing events that have been identified and reported publicly rather than a complete accounting of every event that has occurred. They found that in Fiscal Year 2016, reports of phishing dramatically increased between the months of February and May when compared with the rest of the year. The majority of these incidents involve human resource employees being tricked into sharing company W-2 information with an attacker via email, or slight variants of that attack pattern. Cybercriminals coerce HR into complying with these phony requests by impersonating an executive officer’s email address and hoping that the employee is not suspicious enough to closely screen emails from their boss. As recently as February of this year a municipality, a travel agency, and a school district found themselves embroiled in phishing scams with very familiar fact patterns.


The histogram above displays the distribution of phishing incidents captured by BitSight data breach researchers over the year-long period starting in January of 2016. The federal income tax filing deadline is delineated by a red dotted line. It is apparent that there is an increase in reports of phishing as Tax Day approaches followed by a steep decline. The slightly extended spike may be accounted for by the time it takes a company to report a phishing incident to relevant authorities. We expect to see a repeat of this spike as 2017’s tax season draws to a close.

SPF and DKIM are email authentication protocols designed to establish confidence that the sender of an email is actually who they are purporting to be rather than a scammer spoofing a trusted sender address. An organization concerned with the prevalence and sophistication of phishing attacks can adopt or strengthen these frameworks to limit the amount of questionable emails that get through to be viewed by staff.

An organization’s last line of defense against phishing attacks are its employees. It is important for those involved in HR to practice good cyber hygiene and deal with strange or suspicious email requests with increased scrutiny. Additionally, it is good practice to avoid clicking through links in emails or opening email attachments from unrecognized senders. Some companies conduct trainings and send out test phishing emails to keep employees vigilant and identify those that need to be reminded of proper email etiquette. For more tricks to prepare your workforce to deal with phishing attacks, check out our blog citing tips from industry insiders.