Scammers hit US government cybersecurity contractor with W-2 phishing scam - report

A US government cybersecurity contractor has reportedly fallen victim to scammers who accessed the firm's W-2 tax data, after an employee became a target of their phishing scam. The cybercriminals allegedly got their hands on sensitive and personal data of employees, including name, social security number, address, compensation and tax withholding amounts, thanks to a targeted spear phishing email.

Defence Point Security's CEO George McKenzie reportedly sent out an email notifying around 200 to 300 employees nationwide of the breach, according to a report by security journalist Brian Krebs. The email, however, did not specify when the incident occurred and how many employees were affected.

McKenzie wrote in the email, "I want to alert you that a Defense Point Security (DPS) team member was the victim of a targeted spear phishing email that resulted in the external release of IRS W-2 Forms for individuals who DPS employed in 2016. Unfortunately, your W-2 was among those released outside of DPS."

Among Defence Point's more sensitive projects with the US federal government, is the US Immigration and Customs Enforcement (ICE) Security Operations Center (SOC), which is based in Phoenix, Arizona. The SOC oversees cyber incidence response, vulnerability mitigation and cybersecurity policy enforcement for ICE.

Defence Point Security is yet to comment on the matter. Accenture, which recently acquired Defence Point claimed that protecting their employees' data was the firm's "top priority".

An Accenture spokesperson issued the following brief statement: "Data protection and our employees are top priorities. Our leadership and security team are providing support to all impacted employees."

According to Krebs, cybercriminals have now taken to openly selling W-2's in underground marketplaces. He also claimed that for scammers involved in tax refund fraud, W-2 information is valuable since it contains almost all the data required to fraudulently file someone's taxes and request a large refund in their own name.

He added, "Tax refund fraud affects hundreds of thousands, if not millions, of U.S. citizens annually. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS."