Last year saw an unprecedented number of complaints from businesses that were victims of tax season phishing scams and the IRS warns that a new batch of attacks has already begun.  Targeted phishing scams campaigns (Spear Phishing), use insider information to take advantage of a business’s employees.  The latest scams uses fake emails disguised as requests from a CEO or CFO to convince a business’s payroll departments to give up important tax documents.

The IRS put out a warning last week that all employers should be on the lookout for W-2 email spear phishing scams.  The W-2 scam has been around for a while now, but where in the past it has focused primary on the corporate world, it has now been found targeting school districts and nonprofits as well.

What makes matters worse is that scammers have redoubled their efforts this year to include an additional level of exploitation.  If someone within a company falls for the initial W-2 scam, they will likely receive an “executive” level follow-up email requesting that a wire transfer be made to a specific account.  While not directly related to tax fraud, cybercriminals are using the initial scam to check for gullibility of a business’s employees.  The IRS has reported that some unfortunate businesses have lost both employees’ W-2s and thousands of dollars due to the combined scam.

Spear Phishing campaigns in general are more sophisticated than normal spam emails, which makes them a more difficult threat to defend against.  An attacker will research an organization to learn standard business procedures before enacting a calculated attack.  With the rise in popularity of social media, most businesses have much of their staff visible from publicly visible websites such as LinkedIn and Facebook.  This makes it easy to gain information about employee hierarchy, department heads and often times it’s possible to determine standard operating policies as well.  Once the attacker has gained information about an organization, they will tailor an attack to fall under the radar and target users they judge as most susceptible.

The IRS has set up a number of resources for businesses that have encountered or fallen victim to the scam.

“Organizations receiving a W-2 scam email should forward it to and place “W2 Scam” in the subject line. Organizations that receive the scams or fall victim to them should file a complaint with the Internet Crime Complaint Center (IC3,) operated by the Federal Bureau of Investigation.

If you encounter the W-2 email scam, or any other variant of the scam, do not wait to report it.  While you may be able to tell the difference between a legitimate email and a phishing attack, others in your organization may not.  Employee education and awareness is the best defense against a security breach.