Employees Still Feel Drawn To Basic Phishing Campaigns Like Moths To Flames

By   ISBuzz Team
Writer , Information Security Buzz | Apr 22, 2017 11:05 pm PST

The tax season is when the scammers are in full swing. Over $50 million worth of tax fraud has happened since 2013, as reported by The U.S. Treasury Inspector for Tax Administration. And unfortunately it looks like it is only going to get worse.


According to the warning issued by the IRS, the W-2 email phishing scam has grew past the corporate world. Not only is the scam scattering, but there are more intelligent ways coming up to spur the criminalpockets with even more stolen money.

cyber crime

Cybercriminals are using severaldeceivingmethods to generate fake emails appear to be from an executive within an organization. This email is directed to employees in payroll or HR enquiring for a list of all employees and their W-2 forms. This is called a business email compromise (BEC) scam.

If by any chance the scammer gets his hand on your W-2 form, the potential consequences are terrible. Filing a fraudulent tax return is one of the famous practices.

IRS has given out a few details which are usually found in the fake emails:

  • Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees’ with full details (Name, Social Security Number, Date of Birth, Home Address, and Salary.)
  • I want you to send me the list of W-2 copy of employees’ wage and tax statement for 2016. I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me ASAP.

Scammers don’t seem to stop just there. In addition to asking for W-2 forms, criminal also send emails to payroll asking for wire transfers to be made to a certain account.


Many corporations have fallen prey to these scams, losing W-2 forms and thousands of dollars in the process.

IRS is persuading all establishments to caution their payroll, finance and human resources departments about these scams. Companies are also being proposed to revise their internal policy on the handling of W-2 forms and wire transfers.

How to avoid phishing attacks

Since phishing emails are the source of tax scams, here are a few ways to prevent falling victim:

Be vigilant with email communication

Cautiously check email addresses, particularly those coming from executives requesting for financial transactions. Any little mistake on the addresses or anywhere can tell if the email is a fraud or not. Always verify the validity of a request for wire transfer or sensitive information before acting upon it.

Be careful with links

If you get an email or notification from a site that you find suspicious, don’t click on its links. It is recommended to type the websites address directly into the browser than clicking on a link. Also just hover the mouse on the link to check if it’s showing the same destination it is claiming.

Do an online search

If you get a hint about something that seems suspicious, do an online search on the topic. If it really is a scam, you would find results showing so.  Take that infamous Nigerian prince scam for instance. I know about it, the people around me know about it and I can bet you may have received a couple of emails from some banker or insurance guy from South Africa requesting your details so he can transfer those millions into your account. No?


Lookout for typos

Phishing scams are infamous for having typos.If you receive an email or notification from a reputable company, it should not contain typos.  If it’s a scam, there are probably people online complaining about it and you can find more information.

Use multi-level authentication

It is recommended to have two forms of verification, for example a password and a security question, before logging into any sensitive accounts.

Use a VPN to secure Internet connection

Yet another tried-and-tested way of phishing out user information is to create fake public Wi-Fi hotspots. That Free McDonald’s Wi-Fi you just logged on to – that isn’t Ronald’s offering. It’s the Hamburgler posing as Ronald; offering you a phony gift that will keep on giving, except only to him. You log in to that network and start browsing and you can bet every piece of information will be going through the hacker. You just took the bait. And that is exactly why you need to do at the following:

  1. Ensure that the Wi-Fi access point is indeed from the provider and not a rogue AP instead. There are ways to real ones from the fake variety
    1. When you log in via real access points, you have to agree with their terms. It’s part and parcel. You don’t agree to them, you don’t get any internet – simple
    2. The sites you’ll browse with the real deal will be SSL-secured (HTTPS). If you don’t see that over your address bar the next time you browse a site with a “free” public Wi-Fi, know something isn’t quite right.
    3. If your browsing experience is a little slow, it’s more than just that free VPN acting up.
  2. If you’re in USA, it’s better to rely on your data than gamble everything for those free megabytes.
  3. If you’re out of data, or if you’re a tourist, or let’s just assume that connecting to a Wi-Fi is what you need to do, then I suggest you secure your browsing and encrypt everything with a US VPN after you’ve ensured you’re connecting to a real access point and not a faker.


So we have laid down the guidelines for you to work your way around these phishing attacks. Cybercrime is an ever growing phenomenon and the only way to survive through it is precautions.

[su_box title=”About Anas Baig” style=”noise” box_color=”#336588″][short_info id=’101690′ desc=”true” all=”false”][/su_box]