By John P. Mello Jr - TechNewsWorld |31st March 2016

Hackers in recent weeks have stepped up their efforts to steal employee tax information from companies in all kinds of industries. Typically, the information contained on IRS form W-2 is used to file false tax returns or steal someone's identity. The situation has become so bad that the IRS earlier this month issued an alert to human resources and payroll professionals about the subject: Beware of an emerging phishing email scheme that purports to be from company executives and requests personal information on employees.

"This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data,"

- IRS Commissioner John Koskinen

"Now the criminals are focusing their schemes on company payroll departments," he continued.

"If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees," Koskinen warned.

Hard to Spot Crooks

What makes spearphishing attacks so effective is that they're hard to identify -- both by automated defenses and human beings.

"These scams do not generally have any active payload. They don't have an attachment. They don't have a URL of any sort that a traditional email security solution can associate with malicious behavior,"

- Vidur Apparao, CTO of Agari

"Most of these attacks are pure social engineering attacks," he told TechNewsWorld. In addition, the attacks originate from legitimate Net infrastructure, not, as was seen in the past, from malicious infrastructure like botnets. "Eighty-five percent of these attacks [are] coming from public cloud infrastructure," Apparao said. "The fact that they're coming from legitimate infrastructure makes them almost invisible to existing security solutions.

Fighting Phishing With Stories

If an automated solution is to counter clever spearphishers, it's going to need some smarts of its own, which is what ZapFraud seeks to do in a patent it was awarded earlier this month. The patent is for detecting email scams by what it calls their "storylines." While scammers constantly change their formulations, they very rarely depart from one of a relatively small number of storylines, ZapFraud said.

Consider an email that has a greeting from an apparent stranger, an expression of surprise, mention of large sums of money, an expression of urgency, and a request for a response.

"Identifying a storyline doesn't mean something is evil," Jakobsson said. "It means that one has to be cautious."