Report: W-2 Sites Targeted in Account Creation Scams
May 9, 2016
Sites used by two companies to give their clients’ employees access to W-2 forms were compromised and individual personal and salary information was stolen to commit tax refund fraud, according to security blogger Brian Krebs. Payroll giant ADP and credit bureau Equifax both offer their clients a Web portal so the employees of those clients can access their tax information electronically. In both cases, Krebs reported that fraudsters leveraged personal information stolen from other sources, including Social Security numbers and birth dates, to create accounts on the W-2 portals.
Default login information—in Equifax’s case, the last four numbers of an employee’s SSN and in ADP’s case, a code that was inadvertently published by client U.S. Bank—was obtained by fraudsters and used to create accounts for users who had never registered for the online portal. Once the accounts were created, the crooks were able to view those employees’ W-2 information. While that information most likely was used in the past few months mainly to file fraudulent tax returns, account takeover and account creation are growing problems for retailers, online gaming sites, insurers and any other CNP merchant that uses an online account where users store value or have a payment method on file.
The problem is becoming so pervasive a special panel discussion at the CNP Expo will be devoted entirely to account takeover fraud. Take a look at our entire agenda and register for the CNP Expo today.