To set up this attack, the threat actor first uses LinkedIn or a similar service to find the right contacts, both on the executive and on the recipient side. Knowing that a select few people, likely in the human resources department, will have access to W-2 information, the attacker must select their target carefully in order to successfully complete this scam.

Once the recipient is determined, the attacker uses a legitimate domain with SPF enabled, adding the word ‘exec’ to the username to increase legitimacy, and spoofs the display name to that of the CFO. He then asks the recipient to send the 2021 W-2 information and earnings summary of all employees via email immediately, leveraging urgency and goodwill to encourage quick completion of the task. 

Status Bar Dots
6272d03c80dd28d1bab9aad3 w220bec 20220503

Why It Bypassed Traditional Security

This attack is solely text-based, with no traditional indicators of compromise, and the domain has authentication protocols enabled. Without an understanding of the content and tone of the message, there is no way for an email security solution to understand that this email has malicious intent. 

Detecting the Attack

Natural language processing enables cloud email security solutions to detect the presence of a sensitive W-2 request, and integration with Active Directory allows the platform to know that the sender email is not associated with the VIP being spoofed. Combined, this provides enough information to block the attack before it reaches the recipient’s inbox. 

Risk to Organization

This attack can be extremely dangerous if responded to, as providing a full list of employee W-2s would give the cybercriminal access to personal information, including social security numbers, for the full list of employees. Once this information is obtained, it can be used to perform a variety of fraud, including opening new credit card accounts, filing fraudulent tax returns, or stealing state or federal benefits. 

Analysis Overview




W-2 Theft


Personalized Email Subject
Maliciously Registered Domain
Spoofed Display Name

Impersonated Party

Employee - Executive

See How Abnormal Stops Emerging Attacks

Get a Demo