Blog

Watch Out for These W2 Phishing Emails

Watch Out for These W2 Phishing Emails

01/30/2018

Tax season is starting, and along with it come the tax-related phishing emails. We’ve already started seeing emails this year that look like W2 notifications. Be on the lookout for these, and other tax-related scams.

Let’s look at a specific example:

W2 Phishing Email

 

There are few red flags in the email that give it away as malicious:

1. The sender says “ShareFile,” but the body of the email is DocuSign branding. These are two different services.

2. It doesn’t mention the name of the company anywhere. It just says “Coorporate Office.” There are two red flags here: 1. Spelling and grammar errors are typically a sign of phishing emails. 2. Not including a company name means they can blast this to as many people as possible without having to make any changes.

3. The email is trying to get you to click on the link. If you hover over the link in the actual email, it doesn’t go to a DocuSign (or ShareFile) site.

4. Most places don’t send W2s via DocuSign or ShareFile. W2s are typically sent through the mail and/or are accessible through an HR portal. There usually isn’t a reason to sign and return documents, as the email suggests.

If you do click the link in this particular email, it takes you to a pretty convincing looking sign in page:

 

W2LoginPage

 

The biggest red flag that this is a fake login page? It says DropBox, which is different service from both DocuSign and ShareFile. If you aren’t paying much attention, it’s easy to miss.

This also isn’t what a DropBox login page looks like, but you’d have to be familiar with the service to catch that, and even then, you may not notice. It’s a good fake.

Please keep in mind, this just one example. There will likely be other versions of the same scam that may look completely different. They will most likely all try to either get you to click on a malicious link or download a malicious attachment.

The best thing you can do to help protect your company is to let your employees know how they can access their W2s – and how they can’t access them. If employees can access their W2 information through an online HR portal, make sure they know how to access it without clicking on an email link. If you are only sending W2s by mail, make sure employees know there is no other option. Make sure they are clear on the ways to access their W2 and that ANY other notifications are malicious and should be disregarded.

It’s not unusual for cybercriminals to take advantage of timely events to try to increase their chance of success, and tax season is no exception. These likely won’t be the only tax-related attacks we see this year.

One variation we’ve seen in the past targets HR folks specifically: The attacker (usually posing as a C-level employee) asks for the W2’s of everyone in the company. This information can be sold on the black market or used to steal identities.

Be on the lookout for these, and other tax-related phishing attacks over the coming months. As always, if you are a PTG customer, you can forward any email to us to check over before you click or respond. If you want to learn more about phishing, and other cybersecurity threats to small businesses, read our Ultimate Guide to Small Business Cyber Security

 Ultimate Guide to Small Business Cyber Security

   
Ultimate Guide to Small Business Cyber Security