The largest healthcare W-2 phishing scam of the year to date has recently been reported by American Senior Communities of Indiana.
While many organizations have already reported being fooled by phishing emails this tax season, this was the largest healthcare W-2 phishing scam by some distance, impacting more than 17,000 of the organization’s employees.
This year has already seen 74 organizations scammed, and that number is certain to rise over the coming weeks. Schools have been extensively targeted this year, although there have been at least 9 healthcare organizations that have fallen for the phishing scam this year.
Campbell County Health, Pointe Coupe Hospital, Adventist Health (Tehachapi Valley), SouthEast Alaska Regional Health Consortium, eHealthinsurance, Citizens Memorial Hospital, Maxor National Pharmacy Services, Meridian Health Services, and American Senior Communities have all announced that one of their employees has fallen for the phishing scam and emailed employees’ W-2 Form data to scammers.
The W-2 phishing scam involves an email being sent to a member of the payroll or HR department. The email appears to have been sent by the CEO, CFO or another C-Suite member who requires the W-2 Form data of all employees who had taxable earnings for the previous fiscal year. The emails usually ask for W-2 Forms to be emailed by return in PDF format. The data contained in those emails is then used to file fraudulent tax returns to the IRS. The emails can be convincing. The sender’s email address is masked to make it appear as if it has been sent internally. The request for data may also seem perfectly normal.
In many cases, it becomes clear that an employee has been scammed within a day or two, allowing action to be rapidly taken to mitigate risk. In the case of American Senior Communities that was not the case. Not only were thousands of employees impacted, the phishing scam went unnoticed for more than a month. The W-2 phishing email was sent to a payroll processor who responded in mid-January, yet the scam was only detected on February 17.
The criminal behind the scam acted quickly and used the emailed data to file fraudulent tax returns in the names of the employees. The scam was detected following a number of complaints from employees who had had their tax returns rejected by the IRS as a tax return had already been submitted in their name.
The number of W-2 phishing attacks that have already occurred this tax season suggest that many employers were unaware of the risk of phishing attacks during tax season, and had failed to alert their payroll and HR staff about the possibility of a phishing attack.
With around 6 weeks left of tax season, there is still a high risk of attack. All organizations should ensure that their payroll and HR staff are advised of the high risk of phishing attacks and told to be on high alert. Policies should also be introduced that require all email requests for employee W-2 Form data to be verified by phone or in person before any data are sent.