Remember when phishing emails — fake emails designed to entice people to cough up valuable financial information — were sent by Nigerian "princes" who promised to send millions of dollars if the lucky recipient could kindly share a bank account number to deposit it in? They were wacky, outlandish and full of oddly colorful phrases and typos. Good times.
Phishing emails today are far more polished and well informed — phishers learn who does what in an organization and can send a realistic-looking message, say, to the chief financial officer of a company that appears to be from the chief executive. This tactic is sometimes called "spoofing," spearphishing, whale phishing, business-email compromise or "masquerading."
This tax season, a surge of phishing attacks are being launched on taxpayers and corporate employees. The Internal Revenue Service has reported a 400% surge in phishing and malware incidents so far.
The Financial Services Information Sharing and Analysis Center "is observing and is aware of higher levels of tax and IRS-related schemes during the peak tax season," said John Carlson, the Washington-based center's chief of staff.
One high-profile victim was Snapchat. At the end of February its payroll department fell for a scammer who impersonated the CEO and asked for employee payroll information. "Unfortunately, the phishing email wasn't recognized for what it was — a scam — and payroll information about some current and former employees was disclosed externally," the company said in an apology to its employees.
Tax season is an especially good time to target financial executives.
"If you're a finance executive at this time of year, you have a number of things competing for your time, from yearend processes around financial statements to financial planning for the next year, in addition to tax statements for employees, new contractors and other third parties," said David Pollino, deputy chief security officer at Bank of the West in San Francisco. "The life of a C-level executive is very busy. Sometimes it's difficult to thoroughly read through emails to ensure that the person sending them is the actual sender."
The IRS issued an alert this month warning payroll and human resources professionals to beware of phishing emails that purport to be from company executives and request personal information on employees. It said the scheme has already claimed several victims. Payroll and human resources staff have mistakenly emailed payroll data including W-2 forms containing Social Security numbers and other personally identifiable information to cybercriminals posing as executives.
"If your CEO appears to be emailing you for a list of company employees, check it out before you respond," IRS Commissioner John Koskinen said in a news release.
The IRS shared a few excerpts from recent fake emails it has caught.
"Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review," read one.
"Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary)," was part of another.
"I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me ASAP," read a third.
The phishing schemes ask taxpayers about a wide range of topics, including refunds, filing status, personal information, transcripts and PIN information.
What's Different This Time?
Of course, phishing is not new, and even IRS-related phishing is tried every year. Phishing remains the top way cybercriminals break into banks. They use it to elicit information or get customers and employees to click on malware that can roam banks' networks and pick up information including online banking passwords and administrative passwords.
But this time, it is more effective than it has been in the past.
"We have seen the tactics and techniques of what we call 'masquerading' — where the email sender is able to impersonate someone the recipient knows, like the CEO — evolve over time," Pollino said. "They're very innovative at either gathering information they need to commit fraud on other channels or scamming someone into executing a financial transaction that ends up being fraudulent."
The difference in the latest crop of phishing attacks is that adversaries have gotten smarter and victims have not gotten smarter, said Milan Patel, managing director of the cyberdefense practice at K2 Intelligence.
Cybercriminals are putting extra effort into reconnaissance the way thieves case a bank before robbing it, he said.