W2 Scams and Business Email Compromise (BEC): 3 Reasons Advanced Email Threats Are About to Get Worse

5 min readFeb 11, 2020

Editor’s Note: This blog was originally found on the Agari Email Security blog

By Armen Najarian

With the season for W2 scams upon us, rapidly evolving email threats suggest these and other business email compromise (BEC) attacks targeting corporate financial departments may be about to go from bad to worse.

Each January, US-based businesses begin distributing W2 forms to employees, documenting earnings, tax withholding, Social Security numbers, and other sensitive information that must be included on income tax returns.

But in keeping with other studies, Agari threat data actually reveals a steady drop in the percentage of email attacks seeking to con recipients in accounting, HR or payroll into divulging the information contained on W2 forms. And thanks to crackdowns by the IRS, state tax agencies, and the tax-preparation industry, there has been a 54% drop in fraudulent tax returns since 2015.

This is no time to let down the guard, however. Despite the fact that W2 scams currently represent just 2.5% of all BEC attacks, they may still account for more than $210 million in losses this year. And the information they contain can still be sold on the dark web, helping to fuel millions more.

In fact, the falling number of email attacks targeting W2 information may actually mask a larger threat and one that could prove much more costly than many organizations yet realize.

Business Email Compromise Means Big Bucks

Whatever the particulars of a given scheme, BEC attacks typically begin with a fraudulent email purporting to come from a senior executive or other trusted sender.

In W2 scams, a typical ploy may entail an urgent email from the “CEO” requesting a list of employees, including 2019 W2s and earnings summaries, as part of a “strictly confidential” acquisition. In other cases, the BEC email may come from the “CFO” pushing for immediate payment to an “important new vendor.” In still other forms, a seemingly innocuous email from a “senior executive” may ask for a change to their direct deposit details before payday.

BEC is big business. According to the FBI, BEC leads to at least $700 million in losses each month for US-based businesses — $8.6 billion in just the last year.

As it turns out, the very same cybercriminals behind W2 scams are responsible for a host of other advanced email threats — including payroll diversions, wire fraud rackets and more. And it’s easy to see why. If BEC were a single corporation, it would rank number #115 on the Fortune 500.

But today, BEC attack methodologies are mutating, taking on dangerous new forms. And there are three important reasons the changing nature of this threat could wreak havoc in the months ahead.

  1. The Barriers to Entry Are Collapsing

The growing availability of millions of compromised email credentials on the dark web is making it easier than ever to hijack email accounts belonging to senior executives at a targeted company in order to launch email scams on employees.

These attacks are nearly impossible for most security controls to detect. And they provide fraudsters with access to valuable intel that can be leveraged to fool employees with gift card scams, payments fraud, payroll diversions, and more.

They can also use the accounts for credentials phishing, enabling them to move laterally across corporate IT systems — including those housing lucrative competitive, customer and yes, employee data, with small risk of discovery. Today, the average US company faces a 29.6% chance of falling prey to this kind of breach within the next 24 months, with associated mitigation costs topping $8.2 million per incident, according to Ponemon Institute.

Thanks to proliferating number of turnkey phishing kits, fraudsters no longer need much technical expertise, which means more will get into the game. Phishing kits, many available for free, come complete with HTML, PHP files, images and other assets needed to set up phishing sites that replicate legitimate login pages for DropBox, Adobe, Microsoft, Google, and others.

2. The Attack Surface is Expanding

These and other tactics are leveraged in newer email scams targeting both accounts payable and receivable. As we pointed out in our recent 2020 Predictions post, the form of BEC known as vendor email compromise (VEC) will no doubt become the top attack modality for email fraudsters by year’s end.

In VEC attacks (similar in kind to those launched by the cybercrime group we’ve dubbed Silent Starling) fraudsters hijack corporate email accounts, spy on communications, and then impersonate the account’s legitimate owner in emails aimed at defrauding companies throughout the extended supply chain.

Other email fraud rings (e.g., Ancient Tortoise) use pirated or spoofed email accounts to impersonate a company’s CFO in order to request invoice aging reports from accounts receivable — collecting intel on customers they can scam in later invoice and payment diversion scams.

3. Threat Actors Are Multiplying

BEC and its variants aren’t just for Nigerian email scammers anymore. Thus far, cybercriminal organizations in Eastern Europe and Russia have mostly watched the rise of BEC from the sidelines. But it’s only a matter of time before these groups put their operational expertise to work in advanced email attacks of their own.

They won’t be alone. Escalating tensions with Iran, China, Russia, and North Korea could lead to a marked increase in cyberattacks targeting organizations in both the public and private sectors. Last August, reports surfaced that North Korean threat actors had launched phishing attacks on banks and other businesses that succeeded in stealing $2 billion for its weapons program.

And in January, the Department of Homeland Security issued warnings that potential Iranian retaliation for US airstrikes that killed general Qasem Soleimani in Iraq could include phishing attacks aimed at infiltrating systems and extorting businesses, banks, and other organizations — sowing mayhem along the way.

4. What It Takes to Fight Back

In the face of these evolving threats, companies are likely to find they need to augment existing email security systems with identity-based solutions. Here’s why.

While traditional security controls have grown adept at detecting signatures of malware and other malicious code, they’re defenseless against BEC attacks that use social engineering tricks to fool employees into making costly mistakes. Viruses, malware and trojans attack technical vulnerabilities and target IT network infrastructure.

BEC attacks are different. They attack sender identity and target human emotions of fear, anxiety and curiosity. And, they are coming with increasing levels of business context. Stopping this kind of identity deception requires an identity-focused defense. This means understanding past behaviors and relationships between sender and receiver. A new attack can’t entirely mimic that history perfectly — even when attacks are launched from hijacked email accounts belonging to trusted co-workers.

For companies seeking to deploy these technologies, one of the biggest challenges is having access to a sufficient and evergreen data set. For example, at Agari we typically analyze around 2T email messages annually from all over the globe. It’s an approach that’s proven to work for some of the largest and most recognized brands in the world.

To learn more about protecting against W2 scams, payroll diversions and the rapidly evolving threat from BEC, view our on-demand webinar, The Evolving Email Threat Landscape, from Osterman Research.




Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.