Combating W-2 Fraud, An Avalanche of False Positives and Wasted Time

Nobody likes tax season. Except perhaps the cybercriminals who are successfully scamming users into sharing their W-2 information. Year over year, the number of IRS-related phishing scams targeting individuals and companies continues to grow, putting organizations at risk of a data breach.

According to Accenture, 30 percent of U.S. organizations with more than 10,000 employees are using data loss prevention technology to mitigate the risk of W-2 fraud. However, while DLP technology catches emails containing Social Security numbers, it also creates a tremendous number of false positives burying analysts in threat alerts.

Normal activity is being flagged as a threat when in reality, it’s not. The result, analysts are wasting their time chasing fires that don’t exist while truly critical threats slip through the cracks.

What If It Is a Fraudster?

In 2017, the identities of hundreds of thousands of employees were compromised when malicious actors targeted corporate payroll departments. Despite the widespread fraud, it’s still typical to see people working on their taxes and exchanging their W-2 information via corporate email.

Employees send W-2 forms to their personal email from their corporate addresses. They’re using their work assets to do personal taxes and sending tax information outside of the company. While that’s efficient for the employees, it’s creating an avalanche of red flags for analysts.

Unfortunately, the additional body of work created in the false positives is a double-edged sword that can’t be ignored. “They’ve built extra rules to send alerts when documents containing Social Security numbers are exchanged. When they dig in, though, the email says W-2 right in the subject line,” said Bay Dynamics co-founder and CTO Ryan Stolte.

The good news is that it wasn’t a threat. But that confirmation comes at a price to the organization. Verifying all of these false positives results in the wasted time and effort of a security team.

Still, the risk is real. And one that, among others, the City of Pittsburg, the University of Northern Colorado and Washington school districts have fallen victim to. Malicious actors are able to hide in the noise—and the louder the noise, the greater the challenge of picking out the bad guys.

Considering the risks, ignoring the alerts is ill-advised. Thus, the very nature of the fraud creates a burden for already overwhelmed analysts to do their due diligence.

Algorithms to the Rescue

Existing rules create alerts that demand a second look, but different algorithms can help to narrow down which ones need to be looked at first. Here’s a scenario: In a company of 10,000 employees, 10 percent of those users were flagged for uploading documents and sending emails that contained Social Security numbers.

That’s a lot of alerts. In most of those cases, a second look reveals that it wasn’t a malicious actor. There’s no theft or external fraud tricking someone into sending information. It was simply an employee sending her tax documents to her personal email account.

“Using smarter algorithms allows them to rate the alerts by probability,” Stolte said. When it looks like the sender has control over the destination or there is a history of user exchange commonality, the alert is a lesser priority.

As with all things security, there is no one-size-fits-all solution. “No single algorithm is the secret sauce,” Stolte said, “but some technology can help you to prioritize threats.”

Not surprisingly, the IRS has urged companies to educate their employees about business email compromise (BEC). Additionally, most organizations, including the IRS, are leveraging security intelligence to block those on the known bad guy list.

One silver lining is that this avalanche of combating fraud is specific to tax season. At a different time of year, the issue of false positives, while still burdensome, is less difficult to manage because the volume isn’t nearly as high it is with the sensitive information contained in W-2s.

Kacy Zurkus

Avatar photo

Kacy Zurkus

Prior to joining RSA Conference as a Content Strategist, Kacy Zurkus was a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus was a regular contributor to Dark Reading, Infosecurity Magazine, Security Boulevard and IBM's Security Intelligence. She has also contributed to several industry publications, including CSO Online, The Parallax, and K12 Tech Decisions. During her time as a journalist, she covered a variety of security and risk topics and also spoke on a range of cybersecurity topics at conferences and universities, including Secure World and NICE K12 Cybersecurity in Education. Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 62 posts and counting.See all posts by kacy-zurkus