IRS Issues "Urgent Alert," Urges Widespread Vigilance

"Dangerous W-2 Phishing Scam Evolving; Targeting Schools, Restaurants, Hospitals, Tribal Groups and Others," is the alarming headline of a new announcement from the IRS. This warning is the latest in a series of press releases alerting the public to one of the most lucrative tax seasons hackers have ever seen. 

According to, who is keeping an ongoing record, 99 companies and organizations have been victimized of such a scam thus far in 2017. While this is nothing new, (see our phishing alert from 2016) these types of targeted phishing scams have continued to grow in popularity over the past year and are becoming increasingly sophisticated and effective. Join us as we leverage DARKINT and the skills of our analysts to take a look into what's happening.


This has historically been a hot time of the year for cyber scammers. The IRS saw an approximate 400% surge in phishing and malware incidents in the 2016 tax season. With that increase in cyberattacks has come an undoubtable refining of technique, making this year's threat more dangerous and effective than ever. Experts have coined it as a "cross breed" spear phishing campaign that applies advanced social engineering techniques to exploit its victims. Here's how it works: 

1.     Hackers gather information about the targeted company, including the names and contact information of its chief executive(s) as well as relevant, (often mid-level) HR or payroll personnel.

2.     They then use this information to pose as the selected executive, let's say the CEO, by crafting an email and configuring it to look as though it is coming from the CEO's actual email address.

3.     The dubious email is then sent to the relevant employee (or employees) in HR - or in payroll - requesting that they send the W-2 forms of, say, the employees belonging to a specific department, or, in many cases, of the entire company.

4.     Not wanting to refute a request from their executive, a significant portion of the recipients will acquiesce and email the W-2's in question to the attacker. 

5.     The hacker uses the W-2 information to file tax returns with the IRS on behalf of each legitimate employee, collecting whatever tax refunds their victims are eligible for. Or, in some cases, the stolen documents are put on the darknet and made available for purchase.

This method of committing tax-related identity theft has proven to be largely successful. As recently as last week, an HR employee of Mount Healthy City School District replied to an email from her "boss," following up on his request by sending him the W-2's of 600 current and former employees. Within a day, a number of those employees came forward to say that their IRS tax status indicates they have filed for this year, though they themselves did no such thing. 


Curious as to what the darknet was saying regarding this spear phishing scheme, we decided to look for ourselves by running a keyword search of our darknet database.

Screenshot of a listing on a darknet marketplace offering W-2's to buyers for $1.76 apiece.

Screenshot of a listing on a darknet marketplace offering W-2's to buyers for $1.76 apiece.


The search results confirmed that many stolen W-2's are being offered for sale on various darknet marketplaces. We also found chatter among darknet users, with many discussing and sharing various different spear phishing techniques and engaging in social engineering contests, challenging each other to spear phish selected targets and bragging when they successfully do so. 

Other .onion pages tout the scam in the form of a PSA to fellow hackers:

"This is a very easy method to do and by the end I am sure you will be wondering why more people do not know about it. It is gaining media attention this year (specifically in FL) and I suspect that within 1-2 yrs the USA legislators will take the steps necessary to close the loopholes in the tax code so this method will at the very least be much more difficult to reproduce. Currently e-file returns undergo little or NO review process at all before the refunds are sent out."
- Anonymous Darknet User


"All you have to do is pick up the phone," our analysts say. You can avoid falling victim to one of these ubiquitous spear phishing emails by having a quick verbal exchange.  

It is important to make your colleagues or employees aware that if they receive an email requesting sensitive documents or the personal information of any employee, such as the one pictured above, the first thing they should do is call the sender of the email on the phone to confirm its legitimacy.