Freelancers and Contractors: How to Thwart W-9 Phishing Scams

March 7, 2017 | By

Recently, we wrote about some common tax-season phishes and other scams that are targeting accounting firms and tax preparers. These are no joke, but it’s also important to note that cybercriminals don’t just target employees of companies; they also go after contractors. If you as a small business use freelance or contract labor, then you should be aware of W-9 phishing scams and similar attacks so that you can protect yourself. If you are a freelancer or independent contractor yourself, then you should also be aware of them, since you may be targeted directly.

Why W-9 Phishing Scams Target Freelancers

Many freelancers and independent contractors assume they are too “small fry” to be of interest to cybercriminals. However, these criminals are very creative and will try just about anything to steal personal information that may have financial value or provide a backdoor into a company. In fact, the majority of corporate breaches stem from third-party vendors, which can include freelancers and independent contractors.

As we mentioned in our previous post, phishing attempts are at the top of the IRS’s list of tax scams right now. In some cases, cybercriminals pretend to be from the IRS or an accounting firm. Other tactics include posing as a client and asking for legal or tax forms, such as a W-9. If they succeed at gathering this information, they may attempt to file a fraudulent tax return or spear phish a larger company using information they glean.

In order to protect their personal information, freelancers and independent contractors need to be able to recognize these scams and have a plan in case they fall victim. Additionally, businesses who use contract labor need to be aware so that they can warn contractors about what types of information they will or won’t request via email. Below, we’ll explain what to look for and how you can gain some peace of mind around tax season.

What Do W-9 Phishing Scams Look Like?

If you aren’t familiar, the W-9 form is a tax form that is most commonly used between businesses and their contractors. Businesses use Form W-9 to request information from contractors they hire, which they then use to file a Form 1099-MISC, disclosing how much money they have paid a contractor in a certain year.

W-9s therefore contain very sensitive and personal data including addresses, social security numbers, and employer identification numbers. This data can enable hackers to file a fraudulent tax return or even open up bank accounts in someone else’s name.

To solicit a W-9, a cybercriminal may pretend to be from a contractor’s client and simply ask for the form. Since tax forms can be pretty tedious to fill out, many contractors don’t have a photographic memory about whether and when they have already provided one to a given company. In other words, receiving a request for one may not automatically set off alarm bells. Plus, cybercriminals have gotten pretty good at faking them well enough to convince contractors of their authenticity.

A W-9 Phishing Scam Example

Here’s a real example of a phishing attempt, with names changed to generic ones for privacy. You’ll note the “double greeting,” which is a strong sign that something’s amiss, right out of the gate:

Dear Mr. Smith:

Dear Sir or Madam:

By way of introduction, I am the bookkeeper for XYZ Inc. In reviewing the payments we made to ABC LLC last year, I noticed that we do not have a W-9 on file for your company. Would you be kind enough to have one forwarded to me?

Thank you,
Jane Doe

So, how can contractors make sure they spot any fraudulent requests?

Red Flags

A phishing attempt like the one above is pretty straightforward, and may seem like a normal communication at first, but it also likely has some warning signs. Contractors should look out for the following:

Unfamiliar or Misspelled Sender’s Name: If the sender’s name does not look familiar, that’s a red flag. Of course, it’s possible that it’s from someone that you are not familiar with at a company, but this should at least get your guard up. If you don’t recognize the sender’s name, check LinkedIn or the company website to be sure the person really works there, or—better yet—ask someone you trust at the company to verify the person’s identity and that they should be sending you a request like this. If the sender’s name is misspelled, that is also a warning sign.

Mismatched Sender and Email: Even if you do recognize the sender’s name, check to make sure that the sender’s name matches the email address, especially when the sender is asking for personal documents like a W-9. The sender name could say Jane Doe, but the address could then be something totally different like sure how to check the sender’s email address? Once you open an email, you can hover over or click near the sender’s name to see additional information, including their email address. If the email address does not match who you thought the sender was, that’s a definite warning sign, and you should verify the message’s authenticity independently before moving forward with sending any documents.

Grammar or Spelling Mistakes: Phishing attempts are often loaded with grammatical and spelling errors. In other cases, they simply seem a little bit “off.” In the example above, you can see that the introduction does not make sense contextually, since there is both a direct greeting and the generic “Dear Sir or Madam.” Something’s fishy (pardon the pun), so best to be safe and avoid clicking or sending any information without verifying.

Suspicious Links or Attachments: If a suspicious email contains any links or attachments, don’t click on them. Like the sender’s name, links can be misleading, so if you need to investigate, hover with your mouse above a link to check the URL.  If the email says the link is taking you to a safe place, like your client’s website, but the URL actually points somewhere else, it’s almost certainly a phishing attempt. Remember to inspect the URL carefully, as it may look legitimate, but like the email, it could have spelling errors or small punctuation changes, like a “0” (zero) where an “O” (oh) should be or an “L” (ell) swapped for an “I” (eye). When it comes to attachments, do not open anything if you can’t verify the validity of the email.

In the event that you notice one of the red flags above, it’s better safe than sorry. Contact someone you are familiar with at the company and ask directly if they sent a request for your W-9. If they did, have them send it to you again from an email address in your address book, so you can be sure you’re responding to the right email and not handing your information directly over to a cybercriminal. If they did not, delete the email and report it as spam. You can also refer to the IRS’s guide to tax scams here for more information on some of the common attacks going around this year.

Plan Ahead

Phishing is a popular type of cyberattack, and it’s becoming more common for attackers to target freelancers and contract workers. If you are a company who employs freelancers or contractors, it’s a good idea to educate them on whether and when you would ever request financial information and make sure they are aware of phishing scams like these. This will help you avoid being party to fraud or losing sensitive organizational data via a freelancer falling victim.

As a contractor, it’s up to you to educate yourself about what these types of scams look like and be wary of them. This way, you can avoid clicking on malicious links, exposing sensitive information, and getting yourself into a world of legal and financial trouble.

Rely On Technology to Stay Safe

In addition to these precautions, we strongly recommend you use an automated malware protection solution like Strongarm. This way, you can automatically stop any malware that makes it past the “human shield” from doing damage to your systems or stealing information.

Our simple, automated security solution alerts you the moment any malicious activity takes place on your network. At just $3 per user per month, everyone from contractors to large enterprises can afford to get the malware protection they need and deserve.

Protect yourself this tax season: