Tax information thieves are on the prowl—yet again—as seen in a recent string of attacks that continue to trick organizations into giving up W-2 tax information. In a report, San Francisco-based software and services company Pivotal Software shared details of a phishing scheme that managed to breach an undisclosed number of employee tax information.
In a written notice directed to employees dated March 31, 2016, chief people officer Joe Militello noted that the breach was initiated by a phishing email disguised to have come from CEO Rob Mee requesting information on Pivotal’s workforce. The employee inadvertently mistook the request as a legitimate message from the executive, leading to the delivery of W-2 information to an unauthorized recipient on March 22nd. The sent information included names, addresses, 2015 income details, Social Security numbers, and Individual Taxpayer Identification numbers.
Militello writes, “We began investigating the incident as soon as we learned of it.” Pivotal officials have sought help from law enforcement and the IRS to conduct investigations and to monitor where the stolen information ends up—and to create a shield that would prevent or reduce further exposure of the sensitive information.
Affected employees of Pivotal Software were provided with three years-worth of identity theft protection services. Militello urges employees to be more vigilant to prevent attacks like this from succeeding. He said, “You should remain vigilant for incidents of fraud and identity theft, including by regularly reviewing your account statements and monitoring free credit reports. If you discover any suspicious or unusual activity on your accounts or suspect identity theft or fraud, be sure to report it immediately to your financial institution.”
This incident adds Pivotal Software to the growing line of corporations and businesses that have fallen for similar schemes. Seagate, Snapchat, and Sprouts Farmers Market were among recently reported enterprises victimized by the same trick—simple yet effective.
KSU falls for the same scheme
A week ago, a report on a community college’s W-2 phishing scam showed that this type of scheme has extended to the education sector. Following the exposure of W-2 information of 3,000 employees of Virginia-based Tidewater Community College, a similar case emerged much more recently, with a faulty email carrying the same tune—involving Kentucky State University (KSU).
The ruse—involving a request for W-2 information supposedly coming from KSU President Raymond Burse, was sent to a staff member. The legitimate-looking email succeeded, prompting the staffer to forward identities of employees and students apart from 2015 W-2 information.
In an advisory posted on March 29, 2016, Burse divulged key information on the breach, which took place on March 22. Mitigation strategies have all been in place to prevent the misuse of information stolen from the University. Burse furthered that closely monitoring for suspicious credit activity should be done even by those who are not directly hit by the breach. The post notes, “For your protection, KSU has already taken action to limit the effects of this breach and to identify the responsible party(ies). Federal and state authorities have been notified and are investigating this incident.” Apart from this, three credit reporting agencies have been tapped to provide free credit reports. Affected parties were also provided with a one year-membership to a personal information protection service.
Tax information: the new goldmine
While the attack tactic employed to carry out the scheme was deemed simple, phishing scams and BEC schemes similar to these reported cases involve elaborate planning and careful research on the part of info thieves to make each sent message believable.
These email schemes are typically done for direct monetary gain—redirecting wire transfers and similar transactions to a cybercriminal-controlled account. However, breach incidents like the ones that steal personal information has been proven to be a valuable underground commodity. Besides having value as a product that's sold in underground markets, the data can also be used to stage future attacks—during tax season, the information can be used for IRS or tax fraud scams.
In a consumer alert posted earlier this year, the IRS has warned the public of a 400% surge of IRS scam cases recorded this year—a significant growth from last year. IRS Commissioner John Koskinen said, “This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data.”
Spam designed to scare taxpayers
In a separate security warning, IRS projected that tax fraud will account for losses that could reach at least $21 billion in 2016—greatly ballooning from around $6 million in losses recorded in 2014. This will be done through the use of several methods to rake in profit, from fraudulent tax returns, to schemes that make taxpayers believe they owe the government money, to classic tactics involving the sale of stolen personally identifiable information.
Trend Micro researchers discovered a social engineering hook designed to trick unknowing taxpayers. The scheme involves the use of spam messages, supposedly from an IRS agent. Tapping into the fear of its targets, the message will coerce the recipient to download a malicious attachment (detected as BKDR_NOANCOOE.SM) which leads to compromising infected systems.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).