The biggest healthcare W-2 phishing scam 2017 thus far has been reported by American Senior Communities of Indiana.
Although a number of organizations have already reported being tricked by phishing emails this tax season, this was by a long way the largest healthcare W-2 phishing scam, affecting over 17,000 of the organization’s employees.
To date, 74 organizations have already been scammed in 2017, and that number is set to rise over the coming weeks and months. This year has seen the extensive targetting of schools, however at least 9 healthcare organizations have also fallen for the phishing scam since the 1st of January.
Citizens Memorial Hospital, Pointe Coupe Hospital, Campbell County Health, Adventist Health (Tehachapi Valley), Maxor National Pharmacy Services, South-East Alaska Regional Health Consortium, eHealthinsurance, Meridian Health Services, and American Senior Communities have all confirmed that at least one of their respective employees had fallen for the phishing scam and inadvertently emailed employees’ W-2 Form data directly to scam artists.
The W-2 phishing scam in question consists of an email being sent to an employee of the concerned company or organization’s payroll or HR department. The email is presented as having come from CEO, CFO or another high-ranking member who has requested the W-2 Form data of all employees who are liable to pay taxes on their earnings for the previous fiscal year. Normally, the emails usually require W-2 Forms to be sent by return as PDF attachments. The data furnished is then employed by the scammers to file fraudulent tax returns to the IRS. It is clear that the emails are very convincing. The sender’s address is hidden to given the impression that the email has been sent internally. Such a data request may also seem routine in many organizations.
In numerous cases, it becomes evident within 24 – 48 hours that an employee has been scammed, which allows corrective action to be taken in order to mitigate risk. Unfortunately, in the American Senior Communities incident that did not turn out to be the case. Several thousand employees were impacted and, moreover, the phishing scam continued undetected for over a month. In this case the W-2 phishing email was sent to a payroll employee who replied in mid-January, however the scam was not detected until the 17th of February.
The fraudster responsible for the scam quickly took action and proceeded to use the emailed data in order to file fraudulent tax returns under the names of employees. The scam was ultimately discovered after several complaints from employees who had had their tax returns rejected by the IRS on the grounds that a tax return had in fact already been submitted in their name.
The amount of W-2 phishing attacks that have already been reported this tax season would indicate that many employers were completely unaware of the risk of phishing attacks over tax season, and had neglected to warn their payroll and HR staff about the chance of a phishing attack occurring.
With 6 weeks of tax season remaining, an elevated risk of attack remains. Each organization should ensure that its payroll and HR staff are warned of the considerable risk of phishing attacks and ordered to be on the look out. Procedures should also be introduced requiring every email request for employee W-2 Form data to be confirmed by telephone or in person prior to any data being sent.
