Fraudsters haul in more info by casting nets into payroll departments instead of a single line to one taxpayer
Tax season always puts a spotlight on the latest scams designed to trick taxpayers into giving up their cash or sensitive identity information to cyber thieves. Unfortunately, scammers have been going after employers to get confidential employee information, and like other significant e-mail phishing scams, this one can be hard to detect and can result in significant damage to your business and employees. Here’s what you need to know to protect yourself and the colleagues who trust your business with their tax information.
Phishing for W-2s in 2019
The most common (and effective) scheme seeks to get a batch of sensitive tax data about employees via what appears to be a routine request from an executive for an electronic file with all employee W-2 info in it. Because it seems routine and seemingly comes from management, unsuspecting payroll or human resources employees often provide the information without a second thought. The data can be in the hands of the fraudsters in a matter of hours and the business might not realize that the hack has occurred for weeks.
How to Guard Against W-2 Phishing Scams
There are several steps you can take to make your business less susceptible to this type of attack, including:
- Raise awareness. Anyone in your company who has access to sensitive tax information of any sort should be educated on day 1 and reminded often that someone attempting to steal these records could target them at any time. Employees who handle this kind of information on a daily basis can never lose sight of the damage it could do if accidentally shared outside the company.
- Create review processes. If you don’t have them already, institute strong review controls over W-2s and any other tax information. These could include:
- Verbal or written confirmation of any request for W-2s or other forms. Most importantly, train your people to confirm the request via a medium other than the one through which it was originally made. If the request came in an e-mail, call or speak face-to-face with the person making the request. If it’s a high-level executive and the employee feels uncomfortable challenging the person, have the confirmation request route through a supervisor or department head.
- Supervisor review for any sharing of W-2 or tax information with anyone. Train your people to understand that any communication of tax information must be authorized in advance, even if it is only an internal request.
What to Do If You Are Phished for W-2s
These scams have become so prevalent that authorities have created a special process for reporting them. If your business learns that employee W-2 information has been compromised, you should:
- Email email@example.com to notify the IRS of a W-2 data loss and provide contact information. In the subject line, type “W2 Data Loss” so that the email can be routed properly. The business should not attach any employee personally identifiable information data.
- Email the Federation of Tax Administrators at StateAlert@taxadmin.org to get information on how to report victim information to the states.
- File a complaint with the FBI’s Internet Crime Complaint Center. Businesses and payroll service providers may be asked to file a report with their local law enforcement agency.
- Notify employees. The employee may then take steps to protect themselves from identity theft. The Federal Trade Commission’s www.identitytheft.gov provides guidance on general steps employees should take.
- Forward the scam email to firstname.lastname@example.org.
Get Assistance from the Cybersecurity Experts at DataSure24
To learn more about protecting your business from W-2 phishing scams and other cyber-threats in 2019, we’re available for a no cost or obligation cybersecurity consultation. So, if you have any questions or concerns, please don’t hesitate to contact us at 716.600.3724. We’ll discuss your situation and concerns, and help you identify best practices for protecting your confidential employee information.