Redpath Insights

Avoid W-2 Phishing Scams During Tax Season

Written by Gloria McDonnell, CPA | January 11, 2017

January 11, 2017 — About this time last year, the Internal Revenue Service issued an alert to payroll and human resources professionals to beware of phishing scams that were made to look like requests from company executives seeking personal employee information--specifically W-2 forms and payroll data. Human resource departments were deceived by the phony e-mails and mistakenly sent data that contained Social Security numbers and other personally identifiable information to criminals. The information collected was subsequently used to commit identify theft, and fraudulent tax returns were filed in some cases.

These types of tactics, in which people are psychologically manipulated into performing actions or divulging confidential information, are classified as "social engineering." The email phishing technique (also known as spear phishing) is by far the most successful social engineering tactic on the internet today, accounting for 91% of attacks!* To combat these types of scams, companies need to educate their employees regarding phishing tactics and develop procedures to follow in the event that a scam is suspected.

Elements of a W-2 or Payroll Information Phishing Scam

Criminals are varied in their approach to gaining access to sensitive information, but many phishing scams are typically comprised of a few common elements:

  • Contact is initiated via email.
  • Identities are concealed via hacked email accounts or spoofed email addresses (in which the email address is made to look like it comes from someone you know or trust).
  • Criminals masquerade as an executive, an employee in a position of power, or someone with decision-making authority over the employee to whom the request is made.
  • Sensitive information (a combination of social security numbers, salaries, addresses, names, dates of birth or tax documents) is requested in large quantities as a PDF or Excel document, for example.
  • Requests are made under the guise that the information needs to be "reviewed," or "sent to me ASAP."
  • In some cases the criminals may request transfer of the files via DropBox or ask for login credentials to file sharing sites if the document is too large to email.

Educate Your Employees and Protect Sensitive Information

Here are some tips to help protect your data and employees' sensitive information:

  • Any employee that has access to sensitive personal or financial information should be made aware of these types of scams.
  • Make sure there is a consistent procedure for requesting sensitive information, and anything that deviates from the procedure should raise red flags (For example, any request for certain types of information that originates as an email should immediately be called into question).
  • Detect spoofed emails by hovering your cursor over the email address. This allows you to identify the actual recipient domain name of your email response.
  • Watch for signs of a phishing scam such as odd language or phrasing that seems unusual for the person requesting the information.
  • If in doubt, pick up the phone and call the person requesting the information.

*SOURCE: heimdalsecurity.com