W2 Phishing Season

It's arrived! That happy time of year when hackers the world over try out their phishing skills to obtain copies of employees' W2 forms and journalists write about them. But why is this a problem? And who is really at fault?

W2 Phishing Season is now in full swing. For those of you unfamiliar with this pastime, I should explain that it's an American thing. This is the time of year when company accountants are sent emails purporting to be from either their boss or the Internal Revenue Service (IRS) requesting copies of their employees' W2 forms.

In the US tax system, a W2 is a form prepared by an employer at the end of each year which summarizes how much an employee earned and how much tax was deducted. Copies of these forms are sent to the Internal Revenue Service and to each employee. The employee subsequently uses this information to prepare a Form 1040 (individual tax return). (In the UK the equivalent form would be a P60; in Canada it would be a T4).

So why do criminals want copies of W2 forms?

In a successful attempt by politicians to make paying taxes more palatable, the system is set up so that the typical taxpayer overpays tax during the year (more tax is deducted than the taxpayer will owe), and therefore the taxpayer will receive a refund once he or she completes a tax return.

When a taxpayer completes a tax return, the taxpayer also specifies how any refund will be paid: by check, direct deposit, or by payment to a prepaid debit card. In other words, if you can forge a tax return, you can get the IRS to send you money. If the forger also claims deductions for which the taxpayer is not entitled, the forger can increase the payout. And with online filing, it's possible to carry out the entire fraud without ever setting foot in the United States.

Obviously when the actual taxpayer submits their tax return, the fraud will be discovered. However, it seems that fraudsters can rely on the human failing of procrastination: if their tax return arrives and is processed before the legitimate form is submitted, they get paid.

The problem of W2 fraud is often presented as a phishing problem: if only the junior accountant had realised the urgent email from their boss was a fake and hadn't replied with a copy of all the employees' W2 forms! It must be his fault.

But it isn't.

Indeed, if this type of phishing happened in Norway nobody would care as tax returns there have been public since the 1800s.

The problem is that someone can submit a US tax return on someone else's behalf without their knowledge or consent and apparently arrange payment to an arbitrary bank account or get a cheque or prepaid debit card sent to an arbitrary address.

Thus it's not so much a phishing problem, as an authentication problem.

The IRS is unable to verify that the person submitting a tax return is the actual taxpayer or a person authorized to prepare a tax form on their behalf, or that the banking and address information corresponds to the actual taxpayer. The fraud relies on this combination of vulnerabilities to succeed.

I have some sympathy for the IRS in this: they have regulations requiring them to pay out tax claims quickly, limited staff budgets (which limits the amount of manual verification that can be performed), frequent political interference, and limited political support. No politician in the United States can be seen to like the taxman.

But it's an interesting question as to why this form of fraud does not appear to not be a major issue in other countries. For example, Canada has a similar tax refund system/strategy to the United States, but T4 phishing does not appear to be a problem there. The UK has a different system, but nobody seems to be phishing for P60 forms.

I'm not familiar enough with the IRS tax procedures to speculate on why the IRS procedures seem particularly vulnerable. Do a large number of taxpayers suddenly opt for payment by cheque or debit card and change their address each year? Do a large number of taxpayers change their bank account details each year? There are surely many checks like this which could be used to identify potential impersonation fraud.

Or are the costs of increased checking for impersonation fraud significantly higher than the losses? The IRS has to pay interest on delayed payouts, and it takes time and effort to determine if an impersonation fraud is being attempted. Perhaps a certain level of impersonation fraud is simply an "acceptable loss". Or perhaps the IRS is being asked to focus on staff costs rather than the net amount of revenue raised.

Whatever the reason, while the phishing attacks may make the headlines, it's in the IRS procedures that the problem surely lies.

3 March 2017

To get notified when new articles appear, subscribe to the Risky Thinking Newsletter. It's low volume: we don't send out an issue unless there is something interesting to say. You can also subscribe to our RSS Feed

Recently published articles can also be found here.

Agree or disagree? I'd like to hear your thoughts. Please initially use the contact form to get in touch.