Data Breach Digest: Has W-2 fraud overtaken healthcare as the most lucrative target for cyber-criminals?

March 1, 2017
A look at what's fueling the uptick in tax fraud and how businesses can protect their employees

What keeps most security professionals up at night is protecting their companies’ valuable data to ensure it stays out of the hands of cyber criminals. But, what presumably keeps the criminals up at night? Most likely it is finding new, innovative and more lucrative sources of information to exploit. In the last couple of years in particular, there has been an emergence of tax fraud via W-2 phishing scams that has become so prevalent that it may overtake what has typically been the focal point of most cyber criminals – healthcare data.

No longer are cyber criminals simply hobbyists acting alone in their spare time. Today’s cyber criminals operate along the same vein as a sophisticated global business supported via fraud-based supply chains capable of generating billions of dollars annually – $16 billion according to a recent Javelin study. Also, they typically have a business-savvy mentality that allows them to adapt and change with the opportunities available in their operating landscape. One need look no further than the headlines that prove this to be true with new victims being identified on a near-daily basis.

In the same way that the internet provides a variety of possibilities for businesses to succeed, so too are the many and varied opportunities for criminals to attack. One important aspect of running a successful fraud business that achieves a positive ROI means focusing efforts on building efficiencies of scale that have the potential to return consistent results with minimal effort and money. Which means, readily available and consistent data – enter prime target number one: healthcare records.

The Economic Opportunity of Fraud

Traditionally thought of as the most valuable records available from a criminal targeting perspective, healthcare data is federally protected to make acquisition of the information much more difficult. HIPAA (Health Insurance Portability and Accountability Act of 1996) is the United States’ legislation that provides data privacy and security provisions for safeguarding medical information. Its most basic purpose is to provide patients with assurance that their medical and health information is private and should be protected, as well as to ensure they know who has access to the information.

Yet, despite the legislative safeguards in place, there is virtually no way to protect against every potential attack. In fact, the healthcare industry has experienced disproportionately more data breaches than any other business sector. This is due, in part, to the increasing number of medical records being stored electronically and the increased value of the information when traded on the dark web.

Even though healthcare data offers a strong appeal, there is a new avenue that has found itself squarely in the bullseye of the fraudsters’ target – the form W-2. Every company in the United States must issue W-2s for employees, forms that are full of valuable PII. With such proliferation, there is a strong economic appeal for criminals to steal W-2s, perhaps even making the data more valuable and alluring than stealing healthcare data.

The Evolution of W-2 Attacks

Employment-related theft isn’t a new concept. For many years, criminals have spoofed IRS notices, Social Security Administration benefits adjustment letters, and Form W-2s or 1099s. Last month, the IRS issued a warning to alert businesses and consumers of these types of schemes after identifying an increase of about 400 percent in phishing and malware incidents in the 2016 tax season in comparison to the previous tax season. The IRS also published a comprehensive online guide for what people should do if they receive any of these notifications – particularly if they reference income not earned or employers for who you’ve never worked.

Even with all the warnings and resources available, the United States continues to experience increasing incidences of companies and employees falling victim to phishing attacks during the 2017 season aimed at tricking companies’ HR departments into sending W-2 forms to criminals who can use the record to file fake returns, among other uses. The proliferation of this scam is so widespread that Experian is currently servicing dozens of breaches a week related to these schemes. So far, these schemes have already affected more than 29,500 people this year – a 25 percent increase from what Experian saw last year by this time.

So, What Can Businesses Do?

Employee negligence has long been a leading cause of data breaches for many years. If employees are not properly trained – especially those employees who have access to sensitive information – they will likely fall for the scam. Oftentimes, personal tax data is being exposed after an employee complies with a cleverly spoofed email from an “unauthorized third party” claiming to be a senior executive making a purportedly “legitimate request” for employees’ W-2 tax forms.

First, businesses must incorporate privacy and security training programs that help employees identify potential phishing attempts and empower them to question any out-of-character asks to avoid falling victim to an elaborate scheme. A recent Ponemon study found that only 45 percent of companies make security training mandatory for all employees and less than half of those trainings include phishing and social engineering simulations. It’s vital that data protection and privacy training programs are required of all employees, especially for those in HR departments who are often the targets of such attacks.

Another consideration is for businesses to consider offering incentive or recognition programs to help address two other reasons for fraud beyond simple employee ignorance – employee frustration or lack of rewards. Establishment of public acknowledgement programs for high-performing employees can help increase the willingness of employees to pay attention and put their security training to good use.

Lastly, in the case of a successful phishing scam, any evidence of a potential attack – even if it is determined that no sensitive information was shared – should be filed in a complaint immediately. Proper protocol following an attempted attack can help detect cybercrime trends and alert authorities to emerging threats. Failure to comply can result in legal ramifications as well as costly, long-term damage to brand reputation. All security professionals should be well-versed of these requirements and respond to incidents in a timely, sensitive manner.

The lure of large amounts of readily available data – translating to significant economic opportunity – has ensured the business of fraud continues to boom. Which in turn has kept cybersecurity professionals around the world pushing to stay ahead and minimize the impacts. For businesses, understanding how a W-2 data breach may occur and ensuring employees are well-versed in identifying potential phishing scams will go a long way in combatting the increasing interest from cyber-criminals. Businesses that recognize the risks and incorporate education and procedures into their operations will help protect themselves and their employees from unnecessary harm.

About the Author: Michael Bruemmer, CHC, CIPP/US, is vice president with the Experian Data Breach Resolution group. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the Ponemon Responsible Information Management (RIM) Board, the International Security Management Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board. He can be reached at [email protected].