On March 22 an employee at software company Pivotal Labs received an email purporting to be from CEO Rob Mee, asking for personal information about employees. Assuming the email was legitimate, the worker sent W-2 information — including the names, addresses, 2015 income details, Social Security numbers and Individual Tax Identification Numbers of an undisclosed number of employees — to what turned out to be a group of cybercriminals.
The company reported the breach to authorities, opened an investigation and is offering employees identity protection services, according to a notice it shared with employees. The incident was first reported by SC Magazine. (Pivotal Labs did not immediately return a request for comment.)
The incident highlights a growing scam involving phishing attacks, where criminals use stolen W-2 information to impersonate taxpayers and steal their returns.
"These scams are active right now, especially at tax season," said Rodney Joffe, senior vice president at Neustar. "And while there have been some mentioned in the press, there are thousands of companies, small and large, being targeted each and every day."
Other recent victims made public include data storage company Seagate and start-up Snapchat. Seagate inadvertently exposed the tax data of thousands of workers when an employee shared 2015 W-2 tax form information for current and former U.S.-based employees in response to a phishing email. SnapChat apologized to workers after its payroll department shared information about some current and former employees in response to an email impersonating CEO Evan Spiegel.
Both companies are investigating, cooperating with authorities and offering employees identity protection services.
"This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data," said IRS Commissioner John Koskinen. "If your CEO appears to be emailing you for a list of company employees, check it out before you respond."
The Federal Bureau of Investigation also issued a warning about the rise in schemes targeting businesses, financial officers and individuals on March 29. The W-2 scam is a seasonal variation of what is known as the business email compromise scam (BEC) or "CEO fraud."
Law enforcement has received BEC complaints from victims in every U.S. state and in more than 79 countries, though the vast majority of victims are in the U.S. From October 2013 through February 2016, law enforcement received reports from 17,642 victims, adding up to more than $2.3 billion in losses. Since January 2015, the FBI has seen a 270 percent increase in identified victims and exposed loss.
"These scammers only have to be successful a very small percentage of the time for it to be lucrative," said Joffe. "And $2.3 billion is a great motivator for new gangs to get into the business, so it will grow for that reason as well."
The criminal organizations behind the attacks surf the web from what look like internet cafes, often in Nigeria, said Joffe. They research targets online to build a profile of the company, its corporate structure and the other entities with which it does business. Often, they register a domain that looks similar to the target company, for example, replacing a "W" with a double "VV," adding an extra "ii" into a word or use a slightly different domain name, for example, ending in ".co" instead of ".com."
They then send emails from addresses that look almost indistinguishable from legitimate email accounts within the company.
The attacker will then send an email to a senior executive that looks as if it is coming from another senior executive asking for proprietary information. The criminals will solicit money or other information that they can monetize.
"The most malicious email attacks are no longer pleas for funds from a purported Nigerian prince," said Patrick Peterson, CEO of cybersecurity company Agari. "Instead, the cybercriminals of today are sophisticated shape shifters who take the form of your most trusted colleagues — your CEO, CFO or longtime business partner."
For example, they might send an email to the CFO asking for money to be wired to a foreign bank account. Last year, a finance executive at toy maker Mattel wired more than $3 million to a bank in Wenzhou, China, only to find out that the company had been the victim of scammers. The company was unusually lucky in that it was able to retrieve its money with the help of international authorities.
Alternatively, a gang might target an executive in research and development with a well-crafted email that looks like it comes from another executive asking them to share critical information. One method thieves use to trick people into revealing such information is in the guise of an impending merger and acquisition deal which requires the executive to divulge detailed competitive information that is normally kept private.
If an employee questions the request, they may receive an email moments later which appears to forward an email from the CEO verifying the request. They then proceed, satisfied they have vetted the request, and entirely unaware they have exposed the firm to cybercriminals. Two minutes after they complete the transaction, they might get an email seemingly cc'ing the "CEO" thanking them for their cooperation.
There are a large number of cybersecurity companies offering products that aim to identify phishing emails and block them from ever reaching the employee. Agari uses data analytics and machine learning to build "trust models" that reflect the behavioral pattern of legitimate domains to help customers to identify and block phishing attacks. The company counts six of the top 10 banks and five of the world's leading social media networks as customers.
But despite all the security products on the market, the real solution lies in raising awareness, said many experts. Cybersecurity firm PhishMe offers a product that teaches employees how to identify and respond to phishing attacks. It counts more than 200 of the Fortune 500 companies as customers.
"We took a different approach," said PhishMe CEO Rohyt Belani. "It's a human that falls prey, that is victimized by this, and let's work on making the human more resilient."
"People want silver bullets," said Belani. "Unfortunately, that's never going to be the case."