There are three certainties in life: death, taxes, and the knowledge that Ben Franklin’s famous adage will be co-opted. A twenty-first century version of it may be that “in this world nothing can be said to be certain, except death and taxes … and cybercrime.”
As the tax season is fully underway, employers face an annual onslaught of scams designed to steal employee data. In recent years, cybercriminals have embarked on phishing expeditions in an attempt to trick company payroll personnel into forwarding information contained on W-2 forms. Cybercriminals use email spoofing to masquerade as C-suite executives or other persons of authority to request W-2 information from the personnel department. The IRS and state agencies have warned that cybercriminals may begin with an initial email that may appear to be personalized. If there is a response, the cybercriminals will respond with a request for all W-2 data for employees, including full Social Security numbers, salary, and withholding information. If the information is disclosed, the cybercriminals file false tax returns or sell the information.
Recently, cybercriminals, posing as company executives, have expanded the scam to ask payroll personnel to execute a wire transfer to an account. The IRS has also warned of new schemes to dupe taxpayers into believing they had received refunds in error and returning those funds to what turn out to be accounts set up by criminals.
The IRS cautions that these email phishing scams can be dangerous as they can result in the large-scale theft of sensitive data. The IRS reports that cybercriminals are not just going after large corporations – small businesses, schools, hospitals, tribal governments and charities have also been targeted.
In 2016, the IRS received 100 reports about the W-2 scam. By 2017, that number had jumped to 900, resulting in the disclosure of information on hundreds of thousands of employees.
Education and vigilance are key. Employers should train personnel who handle employee information, including W-2s, to be wary of unsolicited emails that request personal information, even if an email appears to originate from a known source. Two-factor authentication provides a simple solution: any email requesting personal information should first be confirmed with a phone call to confirm that the email request is legitimate. Moreover, employers could also create an internal policy to restrict the distribution of W-2 information and require more than a simple email request as authorization for a wire transfer. The FBI has recommended these and other best practices.
Employers that have been a victim of a W-2 scam can notify the IRS at firstname.lastname@example.org with “W2 Data Loss” in the subject line and file a complaint with the FBI’s Internet Crime Complaint Center. Of course, a breach of personal information may also implicate state breach notification requirements.