Cyber criminals are taking advantage of tax season to lure valuable W-2 information from vulnerable businesses. An example of a common phishing scheme starts with a scammer posing as a legitimate employee of a company, sending an email that looks like it is coming from an internal email address, often the Human Resources department or the Finance department, or even from the CEO of the company. A cyber criminal may even impersonate an employee using stolen personal data from that employee. The email from the scammer attempts to trick the recipient into sending the scammer W-2's, often creating a sense of urgency for a quick response. As we all know, a W-2 contains valuable information such as an individual's name, address, social security number, salary and withheld taxes. Cyber criminals can use this information to file fake tax returns and pocket tax refunds.

As recently as February 17, 2017, the IRS warned of a new phishing scam where tax professionals and state tax agencies are sent an email impersonating a software provider with the subject line "Access Locked." The email tells the recipient that access to the software was suspended due to errors in the recipient's security details. Then, the email requires the recipient to "unlock" the software by clicking on a link that directs the recipient to a fake web page, prompting the recipient to provide his/her user name and password, which is used by the scammer to steal client information. https://www.irs.gov/uac/newsroom/security-summit-alert-tax-professionals-warned-of-new-scam-to-unlock-their-tax-software-accounts

Other common ways phishing attacks occur are by: (1) embedding a link in an email that redirects the recipient to an unsecured website that asks for sensitive personal information, (2) including with an email a malicious attachment or ad that allows an intruder to use loopholes in security to obtain personal information, or (3) impersonating a known vendor or an employee over the telephone to obtain company information.

We offer some tips to help prevent succumbing to W-2 phishing attacks that are already plaguing this tax season:

  1. Pick up the phone: If you receive an email asking for a W-2 or hear of someone in your company receiving such an email, verify the authenticity of the request. A simple solution is to pick up the telephone and call the apparent author of the email to ask if he/she indeed asked for a W-2. The same rule of thumb should apply if you receive an email asking for a money transfer or other sensitive information.
  2. Check the sender's email address for discrepancies: Often an email address from a scammer will look almost like a company's internal email address, but there might be a spelling error with one letter off, or a period added or taken away. Scrutinize the email address from a sender asking for W-2s to see if there are any discrepancies that might provide a clue that the email is fake.
  3. Don't just reply, forward instead: Instead of automatically hitting reply to an email from what appears to be a known colleague asking for W-2s or credentials that could be used to obtain W-2s, forward the email to the legitimate email address you have for the person who the email looks like it is coming from and ask she/he to verify if he/she sent the forwarded email.
  4. Redact W-2s: If your business is not required to provide or maintain unredacted W-2s, then redact (black out) all but the last 4 digits of social security numbers on W-2s you generate or maintain. This reduces the sensitive personal information available on the W-2 and makes the W-2s much less valuable if a scammer ever was able to obtain them.
  5. Encrypt W-2s (and all sensitive company information): Even if you cannot redact W-2s, all W-2s and sensitive company information should be encrypted, both at rest and when being transmitted (including in the mobile and "own device" environments).
  6. Train your workforce: Regularly educate and train your workforce on phishing attacks. Test your workforce on the training provided. Phishing attacks work because of human error. Training and testing of your workforce to recognize phishing attacks can greatly reduce the risk of success of a phishing attack.
  7. Implement and maintain strong information security: Ensure that your company has robust spam filters that are regularly updated, block malicious websites, enable browser ad-ons that prevent a user from clicking on malicious links, use antivirus software, and keep all security systems current with updates and patches. Apply all of these security programs to mobile environments and "own devices" to prevent exploitation of vulnerabilities in the mobile environment or from "bring your own device" practices.
  8. Restrict access to W-2 information: Ensure that only key personnel have authority to access personally identifiable information, in this case W-2 tax information. Such access should be restricted to only those who require it to perform their job duties.
  9. Restrict outflow of W-2 information: Restrict internal staff's ability to copy sensitive data into unapproved methods of transmission, such as email and web browsers, including controlling the ability to copy, paste and print sections of documents. Loss prevention endpoint technology and application controls are available in this area.
  10. Implement, practice and update a Data Loss Prevention (DLP) Program: Cyber risks present a fast- evolving landscape. Data loss through cybercrime and internal risks represent increasing business exposures. Prevention is key to mitigation in this area and a better option than facing a breach unprepared. An entity that knows those risks and controls the data that flows within and outside of its walls can best remain competitive in the marketplace. Using this knowledge, a company can most efficiently protect sensitive data and quickly respond to security incidents.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.