A growing number of businesses have been victimized by W-2 phishing scams. These frauds are a variation on traditional phishing scams, where criminals trick email users into providing confidential information and then use that information to steal money or the victim’s identity.
How it works
In a W-2 phishing scam, cybercriminals, claiming to be from a company’s management, send emails to employees — typically in payroll, benefits or human resources departments. The emails request a list of employees along with their W-2 forms, Social Security numbers or other confidential data.
At first glance, the emails may look legitimate because scammers use techniques known as business email compromise or business email spoofing. Many contain the company’s logo and the name of actual executives that the thieves have obtained online. The messages use language such as “Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
If the employee responds to the phishing email, criminals can use this information to file fraudulent tax returns in the employees’ names. The ultimate objective is to claim their refunds.
Education is key
Recently, the IRS released an alert urging employers to educate payroll and other employees about the dangers of W-2 phishing scams. Be sure to inform all workers, particularly those in areas that handle sensitive data, about the scams. Remind them not to click on links or download attachments from emails that are unsolicited, sent from addresses they don’t recognize or that seem in any way suspicious.
Employees often are nervous about questioning a request that appears to come from upper management. So encourage them to double-check any email request for sensitive information, no matter who appears to be making it. They should do this not by responding to the email in question, but by talking with a supervisor or colleague.
Don’t fall victim
Technology has a role to play as well. Install robust antivirus and spam filters and keep them updated.
With sensible precautions, your business can reduce the risk of falling victim to W-2 phishing scams. But if your company does fall victim, report the attack as soon as possible to firstname.lastname@example.org. Contact us for more information. © 2018