4 Questions on W-2s and Security False Positives with Ryan Stolte of Bay Dynamics

false positives and W-2s

Tax Day is April 17th. Chances are your enterprise already prepared and shipped off the necessary documents. But what about your employees? Is the looming deadline putting pressure on them?

Recently, the IRS sent out a warning about a W-2 phishing email scam putting enterprises at risk. Cybersecurity experts are warning about the false positives that could result from employees doing their taxes at work. This may not seem like an enterprise-level concern, but your employee’s behaviors often determine your cybersecurity’s solidity against cybercriminals.

To learn more about this and how enterprise IT cybersecurity teams can deal with false positives in general, we spoke with Ryan Stolte, Co-Founder and CTO of security analytics vendor Bay Dynamics. Here’s our conversation, edited slightly for readability:   

Solutions Review: What is the W-2 phishing email scam? It seems to have become fairly prevalent if the IRS is warning people about it.

Ryan Stolte: Yes. Every tax season, this scam comes to surface however this year the attackers expanded their victim pool. In February 2018, the IRS released an alert warning that W-2 email phishing scams have evolved. The scams involve cybercriminals sending emails that appear to come from a trusted executive to someone in human resources or payroll, requesting a list of all employees and their W-2 forms.

SR: But now there is a false positives problem arising from the phishing scam? Why is that happening?

RS: Data Loss Prevention (DLP) technology is typically the gatekeeper for these kinds of scams, as it is designed to flag and stop sensitive data from walking out the door. However, every tax season, employees oftentimes work on their own personal taxes while at work using work assets. They email their W-2s back and forth from their corporate to their own personal email address or that of their accountant.

The problem is that due to the sensitivity of the information on W-2 documents, DLP flags this activity as a high-level alert, when in reality it’s employees simply working on their taxes. As a result, already overwhelmed DLP analysts waste time investigating these alerts, only to discover that while risky they are not critical threats. In the meantime, the real threats like those warned about in the IRS alert fall through the cracks.

The other issue is that because analysts are so accustomed to seeing this type of “business as usual” activity during this time of year, they write rules so that security tools do not flag the behavior at all. This is dangerous because if an employee is compromised and the bad actor is sending personal, sensitive information to a malicious external party, the tool would miss the activity.

SR: If employees doing their personal taxes at work, with work equipment and on company time, shouldn’t the solution be to just prevent employees from doing that? Or is it more complicated than that?

RS: Security Awareness Training can help in one regard. It shows employees why this behavior is risky and advises them to not work on personal taxes using work assets. However, that is far from foolproof. People will continue the activity considering most of their time is spent in the office and they face a looming deadline. Technology is needed to reduce the false positive problem while also catching real threats before sensitive data leaves the organization.

Companies should integrate DLP with user and entity behavior analytics (UEBA). UEBA looks at the employee’s behavior, which in this case is an employee sending a W-2 form to his personal email address. It then analyzes the behavior, comparing that behavior to the person’s peers and overall team, and uses that information to determine if the alert is indeed a malicious insider trying to steal data or a false positive.

For example, if an employee is sending his own W-2 to his personal email address, in addition to many others on their team doing that same activity, it’s most likely employees simply working on their taxes while at work and not a malicious threat. UEBA would identify that those employees are sending W-2 documents to themselves and deprioritize these activities or move them to a queue for training. If an employee in human resources sends a list of W-2 information to an external party that is unrecognized, UEBA would identify the behavior as abnormal for the employee’s self, peers, and overall team, and prioritize the alert before sensitive data walks out the door.

UEBA can also help identify broken business processes. For example, if groups of employees are violating a policy in a consistent way, like sending their documents with sensitive data to their attorneys, UEBA will identify the activity as non-malicious but risky and recommend they be targeted for process improvement, and/or perhaps provide them with an encrypted email tool.

SR: What advice do you have to help IT teams recognize false positives? Are there telltale signs?

RS: Identifying false positives involves behavior comparisons and understanding the receiver. If an employee sends a batch of tax-related documents to an external email address, UEBA would compare the behavior to the employee’s self, peers, and overall team. UEBA can also determine if the receiver is unusual, such as an external email address or the personal email address of the employee. If it’s the personal email address, it’s a low-risk item and can be deprioritized. If it’s an external address, and the behavior is unusual across the person’s peers and overall team, the behavior would be prioritized as a high alert. UEBA also factors in contextual information such as the value of the asset at risk of a compromise.

For example, if the information is a list of social security numbers, that’s of high value, and if compromised would most likely damage the company significantly. UEBA would factor that in and prioritize the alert as critical. However, if it was a database of press releases that were already distributed publicly, UEBA would deprioritize the alert being that it’s not of high value and would cause little impact if compromised.

Thanks again to Ryan Stolte of Bay Dynamics for his time and expertise!


Ben Canner

Leave a Reply

Your email address will not be published. Required fields are marked *