Brace for W-2 fraud powered by AI this tax season

It’s that time of year again. Tax season. When employees in finance departments face a prolonged period of stress, time-sensitive demands, and pressing deadlines that persist over the next several months.

It’s an anxious and overwhelming time, and hackers know this all too well. Case in point: scams facilitating W-2 fraud are starting to surge. In fact, we’ve detected a more than 130% increase in attacks between December and January.

W-2 fraud works like this: A hacker poses as an executive and emails staff in the finance or human resources department requesting employee W-2s. They use email spoofing and social engineering techniques to prime the conditions for the victim to make a critical mistake. Most scams come from a personal email address like Gmail and include a subject line like “tax help” or “W2 request.” If the victim complies, the hacker can sell the stolen W-2 on the black market or use it for identity theft.

This scam represents just one type of spear-phishing attack, which today constitutes the costliest email threat, according to the IC3. Last year, reported losses totaled more than $2.7 billion, surpassing the combined sum of phishing and email-based malware attacks.

Several factors help explain the menace of spear phishing. The threat typically involves a very costly form of financial fraud, such as getting victims to pay a scam invoice or make a wire transfer to a fraudulent account. They also don’t contain malicious links or attachments, only text that succinctly delivers the payload. That makes them harder to detect than other email-based threats—both for email security solutions and cautious users.

Traditionally, an obvious giveaway of spear phishing was the presence of egregious spelling and grammatical errors. Yet with the emergence of generative AI, these warning signs are less common. Hackers can now produce error-free text in any language almost instantaneously. While generative AI creators have instituted controls that prevent abuse of their platforms, hackers can still circumvent these measures.

That would explain why we’ve observed a noticeable increase in the quality of spear phishing threats since generative AI became mainstream. It may also foreshadow an extraordinary period of W-2 fraud this tax season.

To stay protected, ensure the organizations implements these important measures:

Refrain from publishing private information on the internet

Avoid divulging private information online, including social media platforms. This includes anything hackers can use. Recently, we detected an attack that engineered a scam based on the victim’s attendance at a business conference. The individual may have shared this information on a platform like LinkedIn.

Check for email spoofing

Spear phishing impersonates individuals a person knows and typically uses display name or close cousin spoofing to support this illusion. The former features the sender’s name in the display name field, which rarely reflects their email address. Close cousin spoofing nearly replicates a legitimate domain name, but includes a slight deviation ([email protected] vs. [email protected]). Both forms of spoofing can make a fraudulent email resemble an authentic one, especially when viewed in a cursory glance.

Verify the authenticity of requests through alternative means

After receiving a request, verify its authenticity by contacting the sender via phone or in-person. Hackers want users to act impulsively and they do it by creating a sense of urgency.

Adopt email authentication protocols

Email authentication protocols, such as SPF, DKIM, and DMARC, help protect against email spoofing. That explains why Google and Yahoo recently made them mandatory for their users, and why companies should adopt them.

Implement multi-factor authentication

Spear phishing attacks often occur after an initial compromise, as legitimate accounts give hackers an authentic cover and access to sensitive information for future scams. Adopting MFA can help protect against attacks before and after a breach. While most MFA options are better than nothing, consider adopting a FIDO-based solution, a phishing-resistant form recommended by CISA.

Fortify the company’s email security

An advanced, integrated email security product can help protect against spear-phishing scams. Since 2020, Gartner has recommended adopting this technology to supplement the native features of cloud email platforms. Look for products that leverage Natural Language Processing (NLP), an AI model that detects abusive patterns, phrasing, and words in spear phishing threats. As NLP is the primary defense against spear phishing, also shop for products that train NLP algorithms on threats produced by human sources and generative AI.

For most of us, tax season is an anxious and stress-inducing time. It’s also a period that deserves greater cyber vigilance – not less. Rather than letting circumstances dictate the company’s security, choose to control what the team can control. When it comes to W-2 fraud, that’s what matters most.

Adrien Gendre, chief technology and product officer, Vade