CEO Fraud 2.0 – It’s Like Fraud on Steroids

Imagine getting an email from the CEO of your company requesting that you email out a zip file containing last year’s W2 forms to a new accounting firm that is “helping your company with taxes”.


Accounting and payroll departments all over the US are getting emails like this one each and every day.  And they’re always fraud.  But you wouldn’t know it because the email appeared to come from the CEO.  And why would you ever not listen to your CEO?  After all, they are the boss.

And it is happening so much, that the IRS released an urgent alert to consumers and businesses to be on the alert for W2 phishing.  The scam has is now targeting school districts, tribal organizations, and nonprofits – those that may have little reason to suspect fraud.

Now the criminals are focusing their schemes on company payroll departments,” said IRS Commissioner John Koskinen. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”

CEO Fraud 2.0 Has Arrived

Well, the cyberhacking fraudsters have launched their next generation CEO Fraud (Version 2.0) and it looks deadly.  It’s like old CEO fraud but on steroids and far more dangerous.  The average financial loss to companies can range anywhere from $100,000 to millions of dollars.

Brian Krebs is reporting the latest iteration of CEO fraud where clever fraudsters are phishing companies CEO’s to gain full access to their entire database of employee W2’s.  Then after they are finish raiding the company for all of their W2, they send one more email to the accounting department to send a fraudulent wire transfer out to a third party.

It’s a combination of the old CEO Fraud where the cyber hackers requested wire transfers with the new fraud where they also raid the companies W2 forms.   The hackers steal thousands of employee W2’s and then get wire transfers ranging from $5,000 to $1 million fraudulently sent to money mules all over the world.

Large Companies are Being Targeted with Thousands of Employees

The companies that are being targeted are not small – here is a list of a handful of companies that have been targeted with this new fraud. Seagate Technologies,  Money Tree, Sprouts, and EWTN Catholic Network

Stolen W2’s are Used to File Billions in Fraudulent Tax Returns Or Sold on the Dark Web

The W2 phishing attacks are highly lucrative. The stolen returns are used to file fraudulent IRS tax returns and can net the fraudsters $5,000 or more for each successful attempt.  In the case of Scotty’s Brewery who had 4,000 employee’s W2’s stolen through this CEO Fraud, that means close to $2 million dollar payout.

The IRS reported over $1.5 billion in fraudulent returns paid last year.

As Brian Krebs is reporting, however, the W2s are also being sold on the Dark Web for $4 to $20 per return.  The price is typically based on the income that was listed on the W2.  The higher the income, the higher the likelihood the fraudsters can get a bigger fraudulent refund payout.