Combating W-2 Fraud, An Avalanche of False Positives and Wasted Time

Nobody likes tax season. Except perhaps the cybercriminals who are successfully scamming users into sharing their W-2 information. Year over year, the number of IRS-related phishing scams targeting individuals and companies continues to grow, putting organizations at risk of a data breach.

According to Accenture, 30 percent of U.S. organizations with more than 10,000 employees are using data loss prevention technology to mitigate the risk of W-2 fraud. However, while DLP technology catches emails containing Social Security numbers, it also creates a tremendous number of false positives burying analysts in threat alerts.

Normal activity is being flagged as a threat when in reality, it’s not. The result, analysts are wasting their time chasing fires that don’t exist while truly critical threats slip through the cracks.

What If It Is a Fraudster?

In 2017, the identities of hundreds of thousands of employees were compromised when malicious actors targeted corporate payroll departments. Despite the widespread fraud, it’s still typical to see people working on their taxes and exchanging their W-2 information via corporate email.

Employees send W-2 forms to their personal email from their corporate addresses. They’re using their work assets to do personal taxes and sending tax information outside of the company. While that’s efficient for the employees, it’s creating an avalanche of red flags for analysts.

Unfortunately, the additional body of work created in the false positives is a double-edged sword that can’t be ignored. “They’ve built extra rules to send alerts when documents containing Social Security numbers are exchanged. When they dig in, though, the email says W-2 right in the subject line,” said Bay Dynamics co-founder and CTO Ryan Stolte.

The good news is that it wasn’t a threat. But that confirmation comes at a price to the organization. Verifying all of these false positives results in the wasted time and effort of a security team.

Still, the risk is real. And one that, among others, the City of Pittsburg, the University of Northern Colorado and Washington school districts have fallen victim to. Malicious actors are able to hide in the noise—and the louder the noise, the greater the challenge of picking out the bad guys.

Considering the risks, ignoring the alerts is ill-advised. Thus, the very nature of the fraud creates a burden for already overwhelmed analysts to do their due diligence.

Algorithms to the Rescue

Existing rules create alerts that demand a second look, but different algorithms can help to narrow down which ones need to be looked at first. Here’s a scenario: In a company of 10,000 employees, 10 percent of those users were flagged for uploading documents and sending emails that contained Social Security numbers.

That’s a lot of alerts. In most of those cases, a second look reveals that it wasn’t a malicious actor. There’s no theft or external fraud tricking someone into sending information. It was simply an employee sending her tax documents to her personal email account.

“Using smarter algorithms allows them to rate the alerts by probability,” Stolte said. When it looks like the sender has control over the destination or there is a history of user exchange commonality, the alert is a lesser priority.

As with all things security, there is no one-size-fits-all solution. “No single algorithm is the secret sauce,” Stolte said, “but some technology can help you to prioritize threats.”

Not surprisingly, the IRS has urged companies to educate their employees about business email compromise (BEC). Additionally, most organizations, including the IRS, are leveraging security intelligence to block those on the known bad guy list.

One silver lining is that this avalanche of combating fraud is specific to tax season. At a different time of year, the issue of false positives, while still burdensome, is less difficult to manage because the volume isn’t nearly as high it is with the sensitive information contained in W-2s.

Sponsored Content
Upcoming Webinar
Security at the Speed of Software Development

Security at the Speed of Software Development

There are a lot of DevSecOps offerings that are just DevOps lipstick on a traditional security-as-a-gate pig. Also, security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy an order of magnitude or ... Read More
May 8, 2018
Kacy Zurkus

Kacy Zurkus

Kacy Zurkus is a cybersecurity and InfoSec freelance writer who has contributed to several publications including Medium, CSO Online, The Parallax, InfoSec Magazine and K12 Tech Decisions. She covers a variety of security and risk topics. She has also self-published a memoir, "Finding My Way Home: A Memoir about Life, Love, and Family" under the pseudonym "C.K. O'Neil." Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 6 posts and counting.See all posts by kacy-zurkus