During last year’s tax season, businesses large and small, school districts, non-profit organizations and even tribal organizations fell victim to the Form W-2 email phishing attacks. In this blog post, I will share some tips on how to protect your business today.
As this KrebsonSecurity story pointed out, prominent W-2 phishing scam victims include Seagate Technology, Moneytree, Sprouts Farmer’s Market and EWTN Global Catholic Network. The W-2 email phishing scam was so rampant last year, the IRS issued an urgent alert in early February warning employers about the scam.
“This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme,’’ said IRS Commissioner John Koskinen in the alert.
According to databreaches.net, which tracked the victims of W-2 Phishing scams, more than 200 businesses/organizations fell for the scam last year but it’s hard to know just how many real victims — those who had their information handed over to cybercriminals — there were as some of the organizations sent out thousands of W-2s. A Tampa Bay school district fell for the scam and released around 7,700 W2 forms. As you likely know, a W2 has all the information, including a person’s name, address and Social Security number, needed to file a fraudulent tax refund request with the IRS as well as to perpetuate other types of identity theft. For more about tax identity theft, check out our blog post.
First, a little about how the scam works: Cybercriminals use spoofing techniques to make an email appear as if it is from an executive within the organization. An employee in the payroll or human resources department is generally the target. The email requests a list of all employees and their W-2 forms.
Last year the scammers piggybacked on the W-2 scam, by sending a follow-up email to the payroll or comptroller asking for a wire transfer to be made, which is known as a CEO scam.
“Although not tax related, the wire transfer scam is being coupled with the W-2 scam email, and some companies have lost both employees’ W-2s and thousands of dollars due to wire transfers,” according to the release from the IRS.
Think your company is safe because you’ve trained your employees on phishing scams before? Think again. There are reports of employees who have recently undergone security training having fallen for the scam. Heck, even cybersecurity “experts” can fall prey, as this Krebs on Security post details.
As a business owner or operator, what can you do?
- Employers should create an internal policy, if one is lacking, on the distribution of employee W-2 information and conducting wire transfers. Add two-factor authentication to the mix by making an actual phone call between the requesting executive and the HR or payroll person part of the process.
- Conduct regular employee training regarding phishing. During the training, be sure and show employees real phishing examples. Point out the red flags that would help them be able to recognize a phishing attempt. UC Berkeley maintains a Phish Tank, with recent examples of phishing emails received on campus.
- Does your company have a process in place for reporting suspicious emails? No? You should! It could read something as simple as: “Don’t click or download anything. Forward the email to the IT department and then delete.”).
- Provide a little incentive for employees to be watchful by rewarding those who follow the process and forward the emails with company-wide shout-outs thanking the employee and letting everyone know they just earned a Starbucks gift card or a crisp $20. Encouragement in the form of cold hard cash never hurts!
- Consider creating a simulated phishing campaign using KnowBe4 or Gophish, two companies that offer such a service. But just know that you need to be thoughtful in your approach‚ if you fool your employee, they might lose trust in you and feel like the IT department is out for a “gotcha” moment. It’s important to keep the focus on “here’s how we can all get better and not fall for a phishing attempt.”
- When in doubt regarding any email, internal or external, train employees to pick up the phone and call the person who sent the email just to double check it really came from them and their account wasn’t compromised.
- Exercise restraint when it comes to your company’s social media accounts. Don’t publish information on your website or through social media that could be used against you. Attackers perpetrating CEO fraud schemes have been known to use these channels to find out information about when executives at a targeted organization are traveling or out of the office.
- Organizations receiving a W-2 scam email should forward it to email@example.com and place “W2 Scam” in the subject line. Organizations that receive the scams or fall victim to them should file a complaint with the Internet Crime Complaint Center (IC3,) operated by the Federal Bureau of Investigation.
- Employees whose Forms W-2 have been stolen should review the recommended actions by the Federal Trade Commission at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft.
- Employees should file a Form 14039, Identity Theft Affidavit, if the employee’s own tax return is rejected because of a duplicate Social Security number or if instructed to do so by the IRS.
What’s your plan?
Do you have a plan in place that protects your employees if their identity is stolen? Did you know the average identity theft victim spends upwards of 200 hours trying to repair the damage? The phone calls they need to make have to happen during normal Monday-Friday working hours. They’re not the only ones on the losing end of the deal — think of how much productivity could be lost if their focus is elsewhere.
Consider covering your business with LibertyID for Small Business, an employee benefit that truly benefits everyone. And along with identity theft restoration protection for your employees, your business will also be covered in case of a data breach. When a small company has a data breach it causes severe damage to the organization, its employees, customers and reputation.
LibertyID for Small Business prepares you with prevention planning, a crisis response plan and fully managed identity theft restoration for your employees and for your customers should you experience a data breach. When a data breach happens, our team of specialists goes to work. Get covered today.
Photo Credit: Security Stock-11094, Hivint, Creative Commons Attribution-ShareAlike 2.0