Malicious actors are now also trying to steal money.
Malicious actors are now also trying to steal money.

The Internal Revenue Service (IRS) has issued a warning on W-2 phishing scams noting that cybercriminals are not only targeting new types of victims, but also attempting to obtain money in addition to tax form data.

The directive noted that the malicious actors have begun attacking schools, hospitals, tribal organizations and restaurants, in addition to their favorite target – major corporations. In addition, the scams attempt to extract money from their victim using a wire scam and not just the personal information found on the W-2 form.

A swarm of W-2 attacks have taken place over the last several days that include some of the newer targets, such as the Lexington County (SC) School District Two and Scotty's Brewhouse, along with more traditional targets like Mitchell Gold + Bob Williams Furniture.

“This is one of the most dangerous email phishing scams we've seen in a long time,” said IRS Commissioner John Koskinen. "It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns."

The new twist on the W-2 scams that the IRS pointed out has cybercriminals doubling down on their basic tax-form attack: In another email, they instruct targets to transfer funds to a certain account. Essentially, the scammer uses the same socially engineered information used in the W-2 attack to then request a money transfer.

The IRS is asking any organization that is hit with either of these scams to quickly report the incident to phishing@irs.gov and file a complaint with the Internet Crime Complaint Center. Quick action is needed to protect the individuals whose W-2 data was stolen because one of the first fraudulent actions taken could be to file a false tax return in the victim's name, but sending any refund to the scammer.

The government also called for those in charge of protecting employee and member tax information to be more vigilant when confronted with messages asking for such data to be exported.

“Given most organizations have very limited email security systems and getting employees to share sensitive data when they have been socially engineered this is likely very effective and not very costly to the attackers,” said Matthew Gardiner, cybersecurity strategist at Mimecast.

A similar spate of W-2 attacks took place last year involving Seagate, Brunswick and U.S. Bancorp.