The defense contractor community saw one of its members fall victim to the W2 Scam recently. Providing further confirmation the defense community remains in the target sights of adversaries of every type and ilk. In March Defense Point Security (recently acquired by Accenture Federal Services) informed both current and former employees their W2 information was compromised. In an email sent by CEO George McKenzie, employees were informed that all the information one would find on a W2, including social security numbers, had been compromised via a spear phishing email.

W2 Scam

The Internal Revenue Service published a warning in March 2016 advising payroll and human resource professionals about the targeting of W2s via phishing. DPS is just the latest to fall victim to the W2 scam.

How it works.

Directly from the IRS:

IRS Criminal Investigation already is reviewing several cases in which people have been tricked into sharing SSNs with what turned out to be cybercriminals. Criminals using personal information stolen elsewhere seek to monetize data, including by filing fraudulent tax returns for refunds.

This phishing variation is known as a “spoofing” email. It will contain, for example, the actual name of the company chief executive officer. In this variation, the “CEO” sends an email to a company payroll office employee and requests a list of employees and information including SSNs.

The following are some of the details contained in the e-mails:

  • Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
  • I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

IRS Form 4524 – Taxes. Security. Together goes into some detail on keeping your information secure, protecting yourself from phishing and protecting your personal identifying information within the context of the income tax footprint.

Targeting your cleared employees

The fact that a cybersecurity entity fell victim to the low-tech social engineering of the W2 spear phishing scam should serve as a warning to all defense contractors that they, too, may be targeted. It’s important to impress upon all staff and particularly human resources departments the need for attention to detail. This includes review of internal policy and procedure surrounding the personal identifying information of their colleagues.

Related News

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher, served 30+ years within the Central Intelligence Agency. He lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” (Syngress, March 2008). He is the founder of