Organizations have long been aware of their vulnerability when it comes to email and yet phishing scams continue to be profitable, as criminal hackers develop more sophisticated methods for thwarting whatever standard security is in place. Their efforts have been aided by social media platforms, which have emerged as virtual gold mines of detailed information useful to criminal hackers. Personal information about your organization’s leadership, departments and employees has never been so freely available. This situation has led to an onslaught of targeted exploits that leverage this information to gain trust and ultimately rob organizations of their most valuable assets.

Several weeks ago, the IRS issued a bulletin warning of a dangerous Form W-2 phishing scam targeting schools, restaurants, hospitals, tribal groups and others. It combines a scheme to steal employee W2 forms with an earlier exploit involving fraudulent wire transfers. According to IRS Commissioner John Koskinen, “This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme.’’

While this exploit is aimed at leveraging increased traffic and online financial activities during tax season, it has implications for organizations that extend far beyond April 15.

How the Scam Works

In the scheme outlined by the IRS, a fake email from one of the targeted organization’s executives is sent to someone in the human resources or payroll departments requesting a list of all employees and their W-2 forms. The IRS bulletin includes examples of language that might appear in these spoofed emails —  each of them conveying a sense of urgency meant to dissuade the recipient from spending too much time checking on the validity of the request.  Shortly after the W-2 request is sent, a follow-up email from the same “executive,” and with the same urgency (since the need for rapid resolution is a key component of wire transfer fraud), asks that a wire transfer be made to a particular account. What makes this a new twist is the juxtaposition of the W2 request with the wire transfer. The two requests, according to the IRS, are “coupled,” resulting in the loss of both the valuable data contained in the W-2 forms, and thousands of dollars transferred into the hands of criminal hackers.

There’s a lot of preparation that takes place for one of these attacks to be successful.  For example, cyber criminals must do research to understand the organization and identify key personnel — executives and payroll and human resources employees, etc. In some cases, they target an executive first, with an email that would appeal to him or her. In one scheme, the hacker found out via a social media account that the executive was an avid golfer, so he sent emails tailored to his interest until one was opened with a link leading to a fake, infected site.

Once the hacker is inside your network, he can grab other relevant intelligence to contact others in the organization. Mimicking your internal communications, he merely has to set up a dummy account, perhaps spoofing a vendor with whom your organization does business on a regular basis, and he’s off to the races. If his hacking gives him access to previous wire transfer records, his task may be even easier. The spoofed request from the executive reaches the designated recipient looking very official, and the funds are then sent to the hacker’s fake account.

Organizations have lost millions in the past few years due to these scams and it’s particularly troubling that new versions are targeting schools and hospitals. Although the FBI estimates that fraudulent wire transfers cost organizations over $3 billion per year, some industry experts estimate it may be much higher.

Employee Training Plus Next-Generation Security Technology Are Key

How can you defend against sophisticated adversaries that use social engineering, phishing schemes and other malware-free tactics to fool employees into parting with the company assets? There are steps you can take to protect your organization:

1. Tighten requirements around passwords. At a minimum, require dual authentication for both personal and workplace accounts. Unfortunately, not all organizations require it. There are also other multi-factor approaches to protecting access, and password management programs can be effective because they eliminate the burden of employees having to remember multiple passwords.
2. Educate your workforce. Surprisingly, a survey done at this year’s RSA event found that 78% of IT professionals have been fooled by a phishing scam. Clearly, scammers are sophisticated and spoofed communications are getting tougher to spot. Train your employees to be vigilant to any unexpected emails or requests, no matter who they are from. Also make sure all business transactions are verified before they are carried out. You may also want to review how you grant access to critical data and processes and ensure that policies for those activities are stringent enough.
3. Don’t rely on legacy antivirus (AV) to protect you. The kind of malware-free exploits described in this blog won’t be stopped by standard signature-based AV defenses. Your best option is to arm your organization with next-generation AV that uses advanced techniques such as machine learning and artificial intelligence to detect anomalous behavior including credential escalation, and other tactics used in highly targeted phishing scams. Yesterday’s outdated, signature-based technology is no match for today’s sophisticated malware-free attacks.

To be better prepared when a clever adversary strikes, download the new Guide to AV Replacement from CrowdStrike and learn how easy it is to replace your legacy AV with multi-faceted security that provides advanced protection against malware and malware-free attacks around the clock, regardless of whether your endpoints are connected to the internet or not.