Most companies today opt to distribute their employees’ W-2 tax forms electronically; either through email or some type of download service. Because these forms contain a good deal of Personally Identifiable Information (“PII”), such as name, address, social security number and salary information – cyber thieves are using several simple, yet, tried-and-true methods to fraudulently obtain them.
W-2 Phishing Scam Examples
Wyoming-based Campbell County Health recently fell victim to a cyber thief who impersonated an executive of its organization and contacted an employee, requesting W-2 information for all of their employees who earned wages in 2016. The employee unfortunately sent the files.
California-based eHealthInsurance suffered a similar breach when an employee responded to a phishing email by sending W-2 documents of the company’s employees to someone he thought was an eHealth executive.
IRS Offers Guidance
Despite issuing an alert in March of 2016 on phishing schemes to obtain W-2 information, the IRS noted a 400% surge in phishing and malware incidents in the 2016 tax season. IRS Commissioner John Koskinen warned:
“If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”
If you’re not careful, your organization might be next to fall victim to these types of cyber scams. Below are four methods you can implement to reduce the risk of employee tax information being leaked to a cyber-criminal.
1. Strong Policies and Procedures
Something as simple as requiring verbal confirmation before documents are sent to a C-suite exec may thwart a cyber-criminal who is posing as the CFO or CEO. Developing a chain of communication when dealing with confidential information is key.
2. Email Encryption
If sending tax documents through email, consider investing in a service that secures the message and requires that the recipient log in with a username and password before being able to read the email. This may prevent a breach if a cyber-criminal intercepts one of these messages. Often, these encryption services will also automatically encrypt an email that contains sensitive data, which helps eliminate human carelessness.
3. Email Filtering
Using an email filtering service that identifies and either stops delivery of, or quarantines suspicious messages will weed out a good deal of the malicious emails that may be sent to your employees.
4. Employee Awareness
Staff members who handle sensitive data and tax information should be made aware of and regularly reminded about these scams. They should also understand that phishing schemes escalate during tax season. Basic awareness of the issue is often the best safeguard.
If a breach does occur, you’ll want to be sure your company responds quickly. Ensure that your Incident Response Plan is up to date, accessible, and understood by the team responsible for its execution.
Have specific questions on how to protect your firm from cyber fraud?