Man’s Identity Stolen After His Employer Fell For W-2 Scam; Now He’s Suing

Businesses, school districts, hospitals and more have been falling for W-2 Phishing Scams this tax season, also called Business Email Compromise (BEC).

According to, which is keeping a running tally of the 2017 victims, the number of affected entities is up to 110 as of mid-March 2017.

In 2016, tracked 145 total BEC victims.

According to this story, this year “more than 120,000 taxpayers have been affected by a BEC attack through no fault of their own.”

They came up with that number by using figures from the “National Center for Education Statistics (NCES), employment figures at Glassdoor, and data provided by the victims when they disclose the incidents to the Attorneys General of California, Vermont, New Hampshire, etc.”

So what recourse, if any, do victims have? We’re about to find out.

Sunrun, a solar panel maker with headquarters in San Francisco, fell for the scam in late January, putting thousands of current and former employees at risk. Now the company is facing a proposed class action lawsuit recently filed by a former employee, Russell Ashlock, according to this story on

SFGATE covered the breach when it happened:

“Someone pretending to be Jurich sent Sunrun’s payroll department an email on Jan. 20 requesting employee W-2 forms, which companies typically send their employees this month. ‘Unfortunately, the phishing email wasn’t recognized for what it was — a scam — and employee W-2s for 2016 were disclosed externally,’ the real Jurich wrote to Sunrun employees in a memo this week,” according to the SFGATE story.

Identity Stolen Nine Days Post Scam

Nine days after the W-2 data was breached, someone filed a fraudulent tax return in Ashlock’s name.

Ashlock found out about the breach when he read about it online in early February, according to the story. Sunrun contacted him about the data breach Feb. 6, 2017.

The lawsuit contends: “Plaintiff and class members are now and will be at risk of identify theft for the rest of their lives, requiring constant diligence and monitoring.”

On top of this, Ashlock alleges that Sunrun failed to adequately compensate employees for exposing their data, only offering employees two years of identify theft protection through Experian’s ProtectMyID service.

“Even if an employee accepts the ProtectMyID service, it will not provide employees any compensation for the costs and burdens associated with the fraudulent tax returns that were filed prior to an employee signing up for ProtectMyID,” the complaint says. “Sunrun has not offered employees any assistance in dealing with the IRS or state tax agencies. Nor has Sunrun offered to reimburse employees for the costs — current and future — incurred as a result of falsely filed tax returns.”

To read more about BEC attacks, how they’re executed and who else has been affected this tax season, read our blogpost.


Are you covered for identity theft?

Get Covered

Image: Pexels