Tax-fraud scam dupes major companies
IRS tells employers to watch out for W-2 form requests
A major phishing scheme has tricked several major companies — among them, the messaging service Snapchat and disk-drive maker Seagate Technology — into relinquishing tax documents that exposed their workers' incomes, addresses and Social Security numbers.
The scam, which involved fake emails purportedly sent by top company officials, convinced the companies to send out W-2 tax forms that are ideal for identity theft. W-2 data can easily be used to file bogus tax returns and claim fraudulent refunds.
“This mistake was caused by human error and lack of vigilance, and could have been prevented,” Seagate's chief financial officer, Dave Morton, wrote in an email to employees.
The swindlers behind the tax scam are exploiting human gullibility rather than weaknesses in computer or Internet security. They have targeted company payroll and personnel departments, in many instances with emails claiming to be requests from the company CEO asking for copies of worker W-2s.
The IRS sent a March 1 notice alerting employers' payroll departments of the spoofing emails. The IRS said it's seen a 400 percent increase in phishing and computer malware incidents this tax-filing season.
The agency said the scheme has so far claimed “several victims” but declined to disclose how many other employers had reported releasing W-2s to unauthorized parties.
The federal alert didn't come soon enough for Snapchat, which on Feb. 28 revealed that its payroll department had been duped by an email impersonating its CEO, Evan Spiegel. The Los Angeles company didn't specify how many employee W-2s it released. Snapchat didn't respond to requests for comment Tuesday.
“When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong,” Snapchat wrote in a post on its corporate blog .
Seagate acknowledged surrendering the W-2s for all current and former employees who worked at the company last year. The Cupertino, Calif., company said “several thousand” people were affected. As of July, Seagate employed about 52,000 workers, but all but 10,500 of them were based in Asia.
Both Snapchat and Seagate notified federal authorities about the phishing attacks and are offering affected workers two years of free credit monitoring.
Hundreds of companies appear to have been targeted, said Stu Sjouwerman, CEO of KnowBe4, a company that trains employers to detect such scams.
Phishing attacks commonly occur during holidays and annual events such as tax season, to prey on people's routines, said Fatih Orhan, director of technology at security firm Comodo.