Could W-2 forms be more lucrative than healthcare records?
Could W-2 forms be more lucrative than healthcare records?

Could W-2 forms be more lucrative than healthcare records? That was the question put forward by Michael Bruemmer, vice president at Experian Data Breach Resolution group. He wrote recently that in the last few years, “there has been an emergence of tax fraud via W-2 phishing scams that has become so prevalent that it may overtake what has typically been the focal point of most cyber-criminals – healthcare data.”

Already this year, W-2 scams have affected nearly 30,000 people, which Bruemmer noted was a 25 percent increase on the previous year.

It was only in early February that the US Internal Revenue Service (IRS) issued a warning about the proliferation of scams in which cyber-criminals attempted to steal W-2 forms. IRS commissioner, John Koskinen said at the time, that such scams "can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone's help to turn the tide against this scheme".

W-2 forms are issued by US employers, detailing the yearly pay of each of their employees. As one might expect, they come with a great wealth of personally identifiable information. Stolen forms might be used to commit social security fraud or tax related identity theft. 

In March 2016, the IRS warned of a phishing attack that tried to get employers to hand over W-2 data.  Scammers would pose as executives urgently trying to get their hands on the data, in what is commonly known as a whaling attack or business email compromise. The campaign claimed its share of victims including popular app Snapchat  and Seagate Technology.

Health care records have been noted for their value in illicit circles. Ben Johnson, cofounder of Carbon Black, told SC Media UK in 2016 that health records can go for up to US $50 (£40) per record, 10 times the value of a credit card number. Unlike a credit card, added Johnson, “which easily can be cancelled and reissued, medical records contain personally identifiable information, medical conditions and contact information for other family members. And criminals can do more with them, including order drugs in the patient's name or use their information for identity theft.”

While healthcare organisations are a prime target for cyber-criminals given the lucrative stockpiles of data inside, Bruemmer says he thinks their place could be taken W-2 forms. Every company in the US must issue a W-2 form he writes, “With such proliferation, there is a strong economic appeal for criminals to steal W-2s, perhaps even making the data more valuable and alluring than stealing healthcare data.”

While W-2 scams do seem to be on the rise, there appears to be little available data to  adequately compare the two phenomena. Dissent, the creator of DataBreaches.net, noted that although there have been 145 W-2 phishing cases in the US so far this year he ultimately doubts the claim that they have become more attractive than healthcare data. Writing this week, he said that, “right now, W-2 phishing incidents are not outnumbering other types of attacks. Maybe in a few months as more data come in, we'll have a better sense.”

Graham Mann, MD Encode Group UK told SC that, “clearly cyber-criminals are still able to acquire whatever data they wish with relative impunity, that's the issue. We know from our own cyber-battle tests, that phishing remains the easiest way of gaining access to networks and data.”  

“From a monetisation standpoint it's likely that the US W-2 data is more attractive but any PII has a value these days and the impact on the individual is likely to be the same – devastation. W-2 forms and indeed any PII should be better protected, after all, this is extremely sensitive information.”