This content is viewable by Everyone

Dec 2025: W-8BEN CREDENTIAL PHISHING

Save

Save

W-8BEN CREDENTIAL PHISHING Indicators

Threat Alert: W-8BEN CREDENTIAL PHISHING

  • Threat actors impersonated various organizations to send out notifications that users’ W-8BEN certifications had expired.
  • The W-8BEN form is used by non-U.S. persons when they receive payments from U.S. sources, such as income from work with U.S.-based organizations or U.S.-earned interest, dividends, rents, or royalties.
  • Threat actors abuse the brands of various international tax authorities as part of message lures designed to socially engineer users into engaging with threats. Actors frequently reference specific tax forms to increase the legitimacy of lures.

How is it used in the wild?

  • Message lures claimed to be notifications regarding the intended recipients’ form 
    W-8BEN status.
  • The messages claimed that a compliance review determined that the intended recipient’s Form W-8BEN expired or would expire imminently. To remain compliant, the lure claimed that recipients needed to open a link in the message titled “Renew Form W-8BEN.”
  • The URL led to a counterfeit authentication page using the private sector organization branding from the original message. These authentication pages were designed to 
    harvest credentials.

Key Action: Stay Alert!

  • Be extremely cautious of any urgent tax-related messages, especially those requiring immediate action. Make sure you know how to identify legitimate tax-related messages. Always look closely at headers and senders of unsolicited emails.
  • Verify the legitimacy of any unsolicited/unexpected email before you interact with it, especially if it directs you to open a link. Know the risks associated with fraudulent tax notifications and generally opening links that originate from unknown sources.
  • Remain alert to phishing indicators. Mismatches between sending addresses and an organization’s name are always warning signs.  AI-enabled tools enhance the quality of lures, so stay alert for less obvious signs of malicious intent, including messages tailored to specific regions and languages.
  • Report ANY suspicious emails via Phish Alarm.