W-2 Scams, Spear Phishing, and the End of One-Size-Fits-All Security Awareness

The W-2 scam provides another example of how a security awareness program that adapts to trending threats has an advantage over a one-size-fits-all plan.

Co-authored by Steve Williams. This article originally appeared on Network World.

Multiple times each year, LinkedIn feeds and information security forums light up with examples of the latest and greatest versions of phishing attacks.

Most recently the hot stories have been about a simple targeted request that avoids links, attachments, and malware, plays friendly with email filters, and appears extremely urgent to the recipient. This form of phishing is known as the “W-2 Scam.”

According to CSO Online, W-2 scammers compromised the information of 29,000 employees across 23 organizations in the first two months of 2017. Victim organizations ran the gamut from schools and nonprofits to restaurants, software companies, and public utilities.

How it Works

The W-2 scam tries to take advantage of folks in accounting, controller, and HR roles by presenting urgent requests for employee W-2 information. These messages arrive during a time of the year when individuals in these roles fully expect to receive messages from time-stressed CFOs or even CEOs requesting urgent action. In this scenario, attackers pair social engineering and phishing to put the sensitive personal information of employees at risk. All this based on a well-timed email request, a decision made in the moment, and the SEND button.

The W-2 scam ranks up there with some of the more impressive phishing attack methods. It proves that the right message sent to the right person at the right time can provide immediate results. But why leave the benefit of this tactic to the bad guys?

Right Content, Right People

The idea of getting the right content to the right people is one that we good guys should be eager to exploit. If the combination of role-based phishing and social engineering can be this effective in getting people to do the wrong thing, then perhaps we should be looking for opportunities to use similar tactics to get them to do the right thing. If we can use precise targeting and timing for security awareness, perhaps we can tip employees in the right direction.

After all, it makes no sense to educate everyone on the W-2 scam. Training all your outside sales representatives (or call center reps or developers or drivers, etc.) on the W-2 scam would be a misdirected effort because the scenario doesn’t align particularly well with their role or access level.

In contrast, any individual with access to payroll systems and employee tax information should get some immediate and meaningful form of training on this scenario. This means more than a “watch out for this” message, which may get buried in an inbox. To get real results, a better approach would be to use simulated W-2 scam emails sent just to those who are susceptible. For those who report the attempts, immediate positive feedback is in order. For those who fall victim, immediate (but still positive) education is needed. Now you’re getting the right content to the right people at the right time—just like the scammers.

Of course, you’ll have to set up similarly realistic and irresistible simulated phishing temptations for your other employees—perhaps purchase orders for the sales team, or urgent customer requests for your customer service reps. But you’ll quickly find much more meaningful results than anti-phishing training that gets set on auto-pilot with random templates and similarly random feedback.

While phishing simulations can help improve decision making and reduce susceptibility to these threats, security awareness that includes a “what to do” component blended with “what not to do” helps empower people to make the right call when it matters.

One organization reported a victory over the W-2 scam through their own internal “multi-factor authentication” process. This process required that any fund transfers or requests for sensitive information be reviewed and approved by two team members and then reviewed once more before being completed by a third individual. This process leveraged the “multi-factor” capabilities of people and shut down the scam when the second individual reviewing the request noticed inconsistencies within the email and quickly confirmed that the CEO never made this request.

W-2 Scammer’s Playbook

To play defense effectively and win, you’ve got to study the attacker’s playbook and tendencies. In the case of social engineering and phishing scams, they’ve got a page or maybe even several chapters in the playbook for role-based attacks.

The W-2 scam provides us with yet another example of how a security awareness program that adapts and mobilizes in response to trending threats and provides targeted content to specific roles offers a distinct advantage over the “one size fits all” approach. It comes down to this: the cybercriminals are getting crafty; we’ve got to get crafty too.

Check out or own animation on tax season phishing to help remind your employees of the dangers of this social engineering scam! Learn more about our own phishing simulator here

Share this Post