By: David Cole
It’s tax season again and the cyber criminals are back at it. According to the IRS, last year’s W-2 spear-phishing scam has returned and is currently making its way across the nation. The IRS and state tax authorities have issued a new alert advising HR and payroll departments to beware of phony emails intended to steal employees’ personal information in their W-2 forms. The phony emails generally appear to be from a senior executive in the company, like the CEO or CFO, and are sent to a company payroll officer or HR employee. The email requests a PDF or list of employee W-2 forms for the tax year. Those forms contain employee names, SSNs, and income information – all of the information a cybercriminal needs to file a fraudulent tax return and collect the refund.
The Federal Bureau of Investigation (FBI) has been tracking the financial impact of scams like this. In June 2016, the FBI estimated that cybercriminals had stolen nearly $3.1 billion from more than 22,000 victims of these types of schemes. Now, the IRS says it is receiving new notifications that last year’s email scam for W-2 records is underway for a second time. The IRS urges company payroll officials to double check any executive-level or unusual requests for lists of W-2 forms or SSNs.
To help you be aware, the following are some of the details that may be contained in the emails:
- Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
- Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
- I want you to send me the list of W-2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.
These incidents not only create headaches and worry for employees, but they also constitute data breaches reportable under state law because personal information has been exposed to an unauthorized individual and the risk of identity theft is high. Last year’s incidents also resulted in class action lawsuits by employees against some of the victimized companies.
The challenge in guarding against this scam is that the emails look legitimate. The header of the email may look exactly as you would expect, mirroring the company fonts and signature blocks, and containing the actual email address of the spoofed executive in the “From:” line. Often, the return email address won’t be visible until after the reply is sent unless the user specifically expands the address field. If you look carefully, it is likely that the domain name is a few characters different from the company’s actual domain name, such as substituting the number “1” for the letter “l” or replacing a “.org” with a “.com”.
Businesses should train employees—and particularly HR and payroll employees who handle sensitive information—to be wary of email requests like this from company executives. Make them aware of this scam and ones like it, and teach them to be skeptical. A good practice is to require that the employee obtain verbal authorization, preferably in person, from the requesting person to verify that the request is legitimate before sending any response. Your company’s IT department also should be monitoring for phishing trends and remaining on the alert for suspicious outgoing activity, including large files or attachments.
The FMG Data Security & Privacy team is here to help with employee training or preparing a plan to respond to an incident.