How to Lose Your Employee W-2 Docs to Spear Phishing and How to Stop It

January 21, 2020

It’s tax season. That means cyber attacks are in high gear. A trend that started last year and has increased in frequency involves attacks focused on stealing employee W-2 information. The hackers then go on and submit false tax returns, open home equity lines of credit and commit other fraud. No business owner wants to see this headline:

“Weidenhammer Loses Employees’ W-2 Info in Phishing Scam”

Another Successful Spear Phishing Attack

That is the headline that greeted John Weidenhammer, founder and president of Weidenhammer Systems Corp. in Wyomissing, PA. The news came about after he sent an email to his employees in early March, the same day the company became aware of the data breach. The Reading Eagle reported:

“Weidenhammer has been victim of a spear phishing event that has resulted in the transfer of 100 percent of our 2016 W-2’s to an unknown party,” Weidenhammer informed employees. “You should assume your Social Security number, your home address, your 2016 earnings and all of the tax withholding that would appear on a W-2 has been compromised.”

Weidenhammer, who has offices in Allentown and Lancaster, explained to employees that an administrator received a fraudulent email, appearing to have come from him, requesting copies of all employee W-2 forms for 2016. Thinking it was a legitimate request, the financial information was forwarded to the fraudulent email account at

“The perpetrators have already begun to use the information to file fraudulent federal and state income tax returns for 2016, apply for home equity loans and open/defraud credit card accounts,” Weidenhammer said.

When it comes to spear phishing, it doesn’t matter whether your company is technologically sophisticated or not. Weidenhammer is a technology services firm. Snap, the new public company and maker of the Snapchat mobile app, was also a victim as was internet pioneer Yahoo. When it comes to spear phishing and social engineering, everyone is at risk.

A 400% Surge in Tax Season Phishing Incidents


This is a terrible situation for any employer or employee to have to go through. Unfortunately, Weidenhammer’s experience is all too common. A study last year concluded that more than six out of every 10 spear phishing attacks succeeded. The IRS even issued a news release to inform HR professionals of the rising threat in January 2017.

The Internal Revenue Service today issued an alert to payroll and human resources professionals to beware of an emerging phishing email scheme that purports to be from company executives and requests personal information on employees.

The IRS has learned this scheme — part of the surge in phishing emails seen this year — already has claimed several victims as payroll and human resources offices mistakenly email payroll data including W-2 forms that contain Social Security numbers and other personally identifiable information to cybercriminals posing as company executives.

The IRS recently renewed a wider consumer alert for e-mail schemes after seeing an approximate 400 percent surge in phishing and malware incidents so far this tax season and other reports of scams targeting others in a wider tax community.

Florida Manatee County School District, Virginia Weslyan College, The City of San Marcos, Asbury Communities, GCI and many others have become victims already in 2017. If you haven’t been hacked, you might just be lucky this year. Then again, you may have been hacked and are still not aware of it.

Exploiting Human Psychology with Social Engineering

Asbury Communities manages retirement communities in four states. It normally wouldn’t seem like a prime target for cyber criminals. However, personal financial data from 3,000 employees can be sold on the dark web or exploited directly. The challenge for IT administrators and cybersecurity professionals is that traditional security defenses don’t work. The attacks are not technically sophisticated but instead involve social savvy. WJLA reported about the Ashbury incident saying:

Around 10 p.m. on Thursday, February 2, a female finance department employee received an email requesting W-2 forms for all employees. The email appeared to be from the company CEO, and referenced other upper level management. In fact, the email address was identical. The employee, known for her “eagerness” and “responsiveness” around the office, fulfilled the request in quick order. The following morning, she asked the CEO if he had received the sensitive tax documents, at which point she learned of her terrible mistake.

So, the only technical aspect of this hack was spoofing the sender’s email address header as that of the CEO. The secret was knowing the CEO’s name and the email address of an employee with access to the documents. From there, the highly valued employee traits of “eagerness” and “responsiveness” were exploited. If the finance department employee hadn’t mentioned the incident to the CEO the next day, the company still might not know about the hack. Do you know if you have been a victim this year? Have you asked your administrative, HR or finance staff?

No Network Hacked but Plenty of Damage

A report about the hack targeting media company GCI by its own KTVA news subsidiary in Anchorage reveals how effective social engineering and spear phishing techniques can be even when an employee expresses initial restraint to a request.

“The employee who received the sham email correctly questioned the request as unusual,” Chapados wrote. “The third party… persisted with the request, however, and ultimately the requested information was emailed to the third party on Feb. 24.”

Chapados said all GCI, Denali Media, UUI and Unicom employees paid in 2015 were affected by the scam. He emphasized that no GCI system or network was hacked, and no customer information was taken or compromised.

This example shows how even phishing training for employees doesn’t go far enough and is consistent with other data. Even after training employees to spot spear phishing attacks a Verizon report showed that 30% were still fooled. When the attacker persists with the charade, resistance is even less effective. At GCI, the result was the theft of personal financial information for 2,500 employees. Again, no traditional cyber defenses would have helped. Spear phishing attacks enlist credentialed employees to unwittingly exfiltrate data for them.

How to Stop Spear Phishing Attacks


Traditional methods of cybersecurity network and computing end-point defense are simply not effective against spear phishing and social engineering attacks. Training helps, but nearly one-third of attacks continue to be successful. What does work? First, the solution must be automated. We can’t rely on humans to not be tricked by other humans. The technical solution must identify the spear phishing email threat before there is a chance for someone to mistakenly act upon it.

This solution is only possible when it starts from a deep understanding of email, DNS, threat intelligence, big data algorithms, machine learning and graph theory. Graphus applies these factors in concert to create a Trust GraphTM between people, devices and networks. The linkages between these nodes, threat intelligence and other factors have proven remarkably successful in automatically eliminating social engineering and spear phishing attacks. Graphus just spent a year proving out the solution with ten companies during our beta period and it was made generally available to G Suite users earlier this year. Graphus works automatically, has a dashboard so you can see what is happening or investigate incidents further, and only takes about one minute to activate.

If you would like to learn more about activating Graphus for G Suite and immediately protecting your company from spear phishing, please click below. If you are not using G Suite/Gmail, but would like to know when Graphus is available for Microsoft Outlook, please click the other button and we will let you know when the solution becomes available.