Sign in
  • Home
  • Platform
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Shadow IT
    • Office 365 migration
    • Government
  • Customers
    • Customer support
  • Blog
  • About
    • Resources
    • News + awards
    • Upcoming events
    • Partners
    • Team
    • Careers
    • Industry leadership
  • Support
Request domain analysis
  • Platform
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Shadow IT
    • Office 365 migration
    • Government
  • Customers
    • Customer support
  • Blog
  • About
    • Resources
    • News + awards
    • Upcoming events
    • Partners
    • Team
    • Careers
    • Industry leadership
  • Request domain analysis
  • Support
  • Sign in
Check to see if you’re protected
☰
Check to see if you’re protected
Share this article
Related posts
  • Blog
    Research: Email remains a weak link in U.S. election infrastructure
  • Blog
    How DMARC works with subdomains and the sp tag
  • Blog
    How DMARC handles domains and subdomains in email addresses
Valimail blog

Be Prepared for Tax Season Email Scams

Author: Valimail
Tax_Season_post
Tax forms! Photo credit: Manchester Library/Flickr via photopin.com

With tax season just ramping up for many companies, it’s a good time to be on the lookout for a particularly pernicious form of business email compromise (BEC): The W-2 scam.

As J.D. Supra recently noted, this is a type of phishing scam that usually begins with a fake email. The email appears to come from the CEO or CFO and is usually sent to someone in human resources or payroll, asking them to forward all of the company’s employees’ W-2 forms in PDF format.

Here’s a hypothetical example from the J.D. Supra post:

From: Jim.Smith@company.com

To: Tony.Adams@company.com

Subject: Treat as Urgent

Date: March 7, 2016 10:55 AM

_____________________

Hi Tony,

I need copies of all employees’ W-2 wage and tax statements for 2015 to complete a business transaction. I need them in PDF format. You can send them as an attachment.

Regards,

Jim Smith

Usually the attacker has done enough research to figure out the names of the executives involved and to craft a reasonably realistic-looking email.

Unfortunately for the recipients of this message, it’s not actually a top exec sending it. The original email contains a Reply-To address that’s different from the one shown in the From field, and which is controlled by the scammer. Since the Reply-To address is hidden by most email clients, it’s easy for the recipient to respond without noticing that their reply is actually going to a different address. If that reply contains the requested attachment, then the hapless employee has just given the scammer a treasure trove of data, including home addresses, social security numbers, and income data for the company’s employees.

The W-2 scam is surprisingly common, and has caught many companies unawares. It’s similar in operation to the CEO-to-CFO scam, in which the scammer appears to be requesting a bank transfer, again by posing as a top executive of a company.

These attacks take advantage of the fact that, for domains without email authentication, there’s nothing stopping scammers from putting whatever they want in the From field of their emails. For that matter, there’s nothing to keep them from putting totally different addresses in From and Reply-To.

Email authentication puts a stop to that. With SPF, companies can create a list of designated IP addresses that are allowed to send email using their domains. With DKIM, companies can make sure that every email from their domain includes a cryptographic certificate attesting to its origin. And with DMARC, companies can ensure that any emails sent from their domains have matching From and Reply-To addresses. With these standards in place, W-2 scam emails using a company’s exact domain name will never reach their intended recipients.

Scammers can still launch attacks using similar-sounding domains (joe@copmany.com instead of joe@company.com, for instance), so employees still need to use vigilance. Train employees that requests for sensitive information and bank transfers always require verbal confirmation, either on the phone or in person. Train them to fulfill information requests by creating a new email, not by replying to solicitations. And train them to read emails closely for signs that they might not be legit.

However, with DMARC email authentication in place, the worst of these scam emails can be sent automatically right where they belong: Oblivion.

DMARC is highly effective, but it can be difficult to implement correctly. Read our article on the most common email authentication mistakes that companies make, and for more in-depth information, check out Valimail’s resource page. How’s your company doing? Use our free domain checker to see if your domain is protected.

Back to blog
Published February 1, 2017
  • Cybersecurity
  • Email
  • IRS
  • Phishing
  • Scams
Author: Valimail
Valimail is a pioneering, identity-based, anti-phishing company that has been ensuring the global trustworthiness of digital communications since 2015. Valimail delivers the only complete, cloud-native platform for validating and authenticating sender identity to stop phishing, protect and amplify brands, and ensure compliance. Valimail has won more than a dozen prestigious cybersecurity technology awards and authenticates billions of messages a month for some of the world's biggest companies and organizations, including Uber, Splunk, Yelp, Fannie Mae, Mercedes Benz USA, and the U.S. Federal Aviation Administration. For more information visit www.valimail.com.
Resources
Election security
Learn more
Executive summary: The guaranteed path to DMARC enforcement
Learn more
The guaranteed path to DMARC enforcement
Learn more
Sender identity: The missing piece in email security
Learn more
BEC explodes as attackers exploit email’s identity crisis
Learn more
Latest news
Most of the largest US voting districts are vulnerable to email spoofing
Learn more
Morning Cybersecurity
Learn more
The Cybersecurity 202
Learn more
Louisiana spurns attempted ransomware attack, governor says
Learn more
Ransomware Attack Hits Louisiana State Servers
Learn more
Press releases
The Software Report Recognizes Valimail as a Top 15 Cybersecurity Provider
Learn more
Valimail’s Seth Blank named chair of M3AAWG’s election security working gro...
Learn more
Valimail applauds accelerating support for next-generation email standards ...
Learn more
Valimail Opens Denver Innovation and Engineering Hub
Learn more
Despite Accelerating Adoption of DMARC, Less Than 10% of Enterprise Domains...
Learn more
Follow us
Contact us

P: 888.354.6179
E: info@valimail.com

Headquarters

180 Montgomery Street
20th Floor
San Francisco, CA 94104

Valimail Mountain Office

3601 Walnut St
5th Floor
Denver, CO 80205

Request a full domain analysis
© Valimail
  • Terms of use
  • Privacy Policy
  • Website terms of use
  • Domain Analysis
  • Domain Checker
  • Platform
  • Solutions
  • Anti-phishing
  • Brand protection
  • Compliance
  • Shadow IT
  • Office 365 migration
  • Government
  • Customers
  • Customer support
  • Blog
  • About
  • Resources
  • News + awards
  • Upcoming events
  • Partners
  • Team
  • Careers
  • Industry leadership