Sign in
  • Home
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Support
Request phishing analysis
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Get started for free
  • Support
  • Sign in
Check to see if you’re protected
☰
Check to see if you’re protected
Share this article
Related posts
  • Blog
    Research: Only 22 of the top 100 retailers are protected by DMARC
  • Blog
    DMARC authentication gets you the deliverability you deserve
  • Blog
    How vulnerable are U.S. election operations to email spoofing?
Valimail blog

Be Prepared for Tax Season Email Scams

Author: Valimail
stacks of tax forms
Tax forms! Photo credit: Manchester Library/Flickr via photopin.com

With tax season just ramping up for many companies, it’s a good time to be on the lookout for a particularly pernicious form of business email compromise (BEC): The W-2 scam.

As J.D. Supra recently noted, this is a type of phishing scam that usually begins with a fake email. The email appears to come from the CEO or CFO and is usually sent to someone in human resources or payroll, asking them to forward all of the company’s employees’ W-2 forms in PDF format.

Here’s a hypothetical example from the J.D. Supra post:

From: Jim.Smith@company.com

To: Tony.Adams@company.com

Subject: Treat as Urgent

Date: March 7, 2016 10:55 AM

_____________________

Hi Tony,

I need copies of all employees’ W-2 wage and tax statements for 2015 to complete a business transaction. I need them in PDF format. You can send them as an attachment.

Regards,

Jim Smith

Usually the attacker has done enough research to figure out the names of the executives involved and to craft a reasonably realistic-looking email.

Unfortunately for the recipients of this message, it’s not actually a top exec sending it. The original email contains a Reply-To address that’s different from the one shown in the From field, and which is controlled by the scammer. Since the Reply-To address is hidden by most email clients, it’s easy for the recipient to respond without noticing that their reply is actually going to a different address. If that reply contains the requested attachment, then the hapless employee has just given the scammer a treasure trove of data, including home addresses, social security numbers, and income data for the company’s employees.

The W-2 scam is surprisingly common, and has caught many companies unawares. It’s similar in operation to the CEO-to-CFO scam, in which the scammer appears to be requesting a bank transfer, again by posing as a top executive of a company.

These attacks take advantage of the fact that, for domains without email authentication, there’s nothing stopping scammers from putting whatever they want in the From field of their emails. For that matter, there’s nothing to keep them from putting totally different addresses in From and Reply-To.

Email authentication puts a stop to that. With SPF, companies can create a list of designated IP addresses that are allowed to send email using their domains. With DKIM, companies can make sure that every email from their domain includes a cryptographic certificate attesting to its origin. And with DMARC, companies can ensure that any emails sent from their domains have matching From and Reply-To addresses. With these standards in place, W-2 scam emails using a company’s exact domain name will never reach their intended recipients.

Scammers can still launch attacks using similar-sounding domains (joe@copmany.com instead of joe@company.com, for instance), so employees still need to use vigilance. Train employees that requests for sensitive information and bank transfers always require verbal confirmation, either on the phone or in person. Train them to fulfill information requests by creating a new email, not by replying to solicitations. And train them to read emails closely for signs that they might not be legit.

However, with DMARC email authentication in place, the worst of these scam emails can be sent automatically right where they belong: Oblivion.

DMARC is highly effective, but it can be difficult to implement correctly. Read our article on the most common email authentication mistakes that companies make, and for more in-depth information, check out Valimail’s resource page. How’s your company doing? Use our free domain checker to see if your domain is protected.

Back to blog
Published February 1, 2017
  • Cybersecurity
  • Email
  • IRS
  • Phishing
  • Scams
Author: Valimail
Valimail is the global leader in zero-trust email security. The company’s full line of cloud-native solutions authenticate sender identity to stop phishing, protect brands, and ensure compliance; they are used by organizations ranging from neighborhood shops to some of the world's largest organizations, including Uber, Splunk, Yelp, Fannie Mae, Mercedes Benz USA, and the U.S. Federal Aviation Administration. Valimail is the fastest growing DMARC solution, with the most domains at DMARC enforcement, and is the premier DMARC partner for Microsoft 365 environments. For more information visit www.valimail.com.
Resources
Top retailers remain vulnerable to email brand spoofing
Learn more
Email security with Microsoft and Valimail
Learn more
Election email security
Learn more
Email fraud landscape, Summer 2020
Learn more
Preparing for BIMI: A Marketer’s Guide
Learn more
Latest news
Trump’s refusal to concede the election is creating an opening for cy...
Learn more
2020 General Election Results to Directly Impact Tech Industry
Learn more
Why Email Is Still an Election Day Disinformation Risk
Learn more
US elections are still vulnerable to email spoofing
Learn more
Security Gaps Persist, Report Warns, After U.S. Blames Iran In Election Sch...
Learn more
Press releases
Valimail Triples Customer Base, Becomes Top Global DMARC Provider in 2020
Learn more
Valimail: 2020 election infrastructure still vulnerable to email hackers
Learn more
Valimail Announces Selection by ASG for Anti-Phishing and BEC Protection
Learn more
Valimail DMARC Monitor and Valimail Enforce Now Available in the Microsoft ...
Learn more
Valimail Research Finds More Than 1 Million Domains Using Crucial Email Aut...
Learn more
Follow us
Contact us

P: 888.354.6179
E: info@valimail.com

Headquarters

180 Montgomery Street
20th Floor
San Francisco, CA 94104

Valimail Mountain Office

1550 Larimer Street
Suite 271
Denver, CO 80202

Request a full phishing analysis
© Valimail
  • Terms of use
  • Privacy Policy
  • Website terms of use
  • Do not sell my personal information
  • Phishing Analysis
  • Domain Checker
  • Products
  • Enforce
  • DMARC Monitor
  • Instant SPF
  • Amplify
  • Solutions
  • Anti-phishing
  • Brand protection
  • Compliance
  • Government
  • Marketing
  • Microsoft
  • Shadow IT
  • About
  • News + awards
  • Partners
  • Team
  • Careers
  • Industry leadership
  • Customer support
  • Learn
  • Resources
  • Blog
  • Customers
Subscribe to our newsletter

Get exclusive content on improving email security and deliverability from the experts at Valimail.

  • *
    I understand that I may proactively manage my preferences, or opt-out of Valimail communications at any time using the unsubscribe link provided in Valimail email communication. I confirm that I am over the age of 16. The information that you provide will be used in accordance with the terms of our Privacy Policy.
  • This field is for validation purposes and should be left unchanged.