This was very popular early in 2017, and it was really successful. Business email addresses of some important people in an organization were being spoofed and the authority of that person used to get some sensitive information from targets. Attackers used to look up details of some companies and get email addresses of lower level employees working in the companies. It was important that they were low-level employees both for the sake of the attack and also for the exercising of authority to work. Attackers would just spoof the email addresses of the personnel in human resource departments and use them to request employees to send their copies of W-2 forms. The information in W-2 forms is somewhat sensitive, and it can be used to file tax returns. What the attackers were doing was filing tax returns, but in a way that they would attract refunds and they would just scoop the refund. In more nefarious scenarios, the attackers would use this information to request for college financial aid. The number of victims whose information ended up in such attempts was so high that the United States Department of Education shut down this service. It had been abused a lot by these attackers.

Taking a look at the attack, it can be seen that the hackers used the principle of simplicity. The pretext was just composed of a spoofed HR email address and a simple request to send a W-2 form. It was also targeted at low-level employees, these would have the least number of questions to direct to an HR personnel. Of course, they mostly complied and sent their W-2 forms and that is why this version of the IRS scam was so effective. Another principle employed was that of research. This attack was backed by research. The attackers had to find out the low-level employees in a certain organization as well as the HR. The common work email formats are such that they are made of the employee's first and last name and then the domain of the organization. This was very helpful when finding out the work emails of the targets. Spoofing email addresses is itself not very hard. Attackers normally replace some words with numbers or add some symbols to get an address that almost matches the real one. Of course, many people do not check the intrinsic details such as the domain of the sender of an email. Once they see a familiar name and a familiar email address, they believe that it is the real person. This is how the attack came to be so effective.