Stopping the W-2 Spear Phishing Scam

On March 1, 2016, data storage giant Seagate Technology learned the 2015 W-2 tax form information for current and former U.S.-based employees were compromised due to a spear phishing email.

Unfortunately, Seagate is not alone. The same W-2 phishing attack compromised SnapChat just last week. Many other companies have fallen victim to similar spear phishing emails, resulting in similar data breaches. Last year, refund scam artists stole W-2 information on more than 330,000 people from the Internal Revenue Service website.

In this post, we’ll examine how your company can avoid a similar fate by revealing how W-2 scams work and how GreatHorn, Return Path’s newest partner, can help you fight them.

Why spear phishing is effective
What’s notable about spear phishing scams is that they exploit the weakest link in any security system: human beings.

Most employees, even executives, are responsive to requests from the C-suite—their natural inclination is to respond and be helpful. Unfortunately, it is relatively easy for an attacker to exploit this reaction.

There are four primary means of executing an impersonation attempt, and except for the most basic kind of attack, none of them can be detected at the email provider level.

Let’s examine them in turn.

Example attack 1: “Pure” spoofing
The simplest type of attack is the “pure” spoofing attack. In this scenario, an attacker simply rewrites the mail headers (the "from" line, typically) to make it appear as though their email comes from someone inside an organization’s mail domain.

The screenshot below is an example of a "pure" spoofing attack. Note the recipient’s Google Apps environment automatically adds the Google+ picture for the supposed CEO, Will Shorlin, even though this message was never actually sent by him.

Roy, the recipient, would likely never know this was not really from Will. However, with GreatHorn in place, this message can be detected as a fraud within seconds, and automatically removed from Roy’s inbox, in addition to alerting the information security team of the fraud attempt. GreatHorn’s analysis shows that this is a fake for a number of reasons:

Luckily, Google Apps does enforce a DMARC policy for email received in Gmail-hosted mailboxes. So in this example, if had a DMARC “reject” policy in place, the fraudulent message would have been rejected. But if a “reject” policy is not in place, the fraudulent message does get through. That’s where GreatHorn’s analysis comes in.

Example attack 2: Homograph domains
A more sophisticated attack is the “homograph domain” attack. In this variant, an attacker registers a domain that looks visually similar to their target’s domain, and even sets up SPF, DKIM, and DMARC to ensure that messages from that domain are deliverable.

The way that this works is that the attacker registers a name and domain that would trick the target. Often, we see this as a manipulation of the top-level domain; .com and .cm are commonly substituted, for example.

In combination with an identical “sender”—note the example below, where [email protected] is being impersonated by [email protected]—most users won’t notice the change, especially if they are using a mobile device, which will reveal the Display Name of “Will Shorlin” only.   

With GreatHorn in place, however, organizations don’t need to rely on eagle-eyed users to catch these kinds of attacks. Here, the platform can identify the “look-alike” domain automatically, in addition to the duplicated sender address, and then take automated action such as deleting or quarantining the email before it leads to a breach:

Example attack 3: User name and private email spoofing
A third way that organizations get breached is through impersonation that doesn’t rely on a spoofed or look-alike domain, but rather, impersonation of the sender as an individual.

We most often see this kind of attack when an organization has a large number of domains and brands under management and a large employee base. The attack begins with an email that mimics the “friendly” display name—“Will Shorlin” in this example—of an executive, and comes from a domain that looks familiar even if not identical to the recipient’s domain:


Unless the recipient knows every domain that their company uses, this can often be a highly effective attack mechanism. Likewise, we’ve seen attacks in the wild that use private email addresses (, for example) to mimic executive names and generate this type of attack.

Gateways and filter-based security tools can’t detect this as a potential attack—no spoofing is occurring, and the sender domain is likely not on any blacklist. However, GreatHorn’s combination of Keyword Detection, Display Name Impersonation Detection, and Sender Address Analysis can automatically find and remove even these highly sophisticated attacks:

Preventing W-2 scam attacks
Since the nature of these attacks extends beyond what can be addressed by the email providers themselves, the only effective means of defense lies in a purpose-built spear phishing solution.

Roughly one in five (18 percent) of all of the identified threats we see today use one of the four attack mechanisms described above. CISOs have a decision to make: wait to be breached, or get proactive. Yesterday's solutions (email gateways, employee training, and so on) simply can't address these new kinds of attacks.

Want more blog posts like these? Subscribe to the Return Path blog.


minute read

Popular stories



BriteVerify email verification ensures that an email address actually exists in real-time


The #1 global data quality tool used by thousands of Salesforce admins


Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality


Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time