W-2 Phishing Scams Target Payroll Departments in Pursuit of Employee Data
Don’t rush through your unread emails this tax season. Sophisticated W-2 phishing scams are likely to hit your inbox soon.
For several years now, cyber criminals have successfully used sophisticated social engineering tactics to dupe hundreds of payroll and HR departments into providing W-2 data on their employees, which results in the filing of fraudulent tax returns, identity theft cases, and even class-action lawsuits against the company.
Who’s Targeted: Payroll & HR Departments; Accounting Firms & CPAs
Who’s Sending: Sophisticated, career cyber criminals interested in profiting through the sale of bulk W-2 and identity information
The Consequences: Fraudulent tax returns, identity theft, class-action lawsuits
Successful attacks are incredibly disruptive to employees, extremely expensive for employers—and completely avoidable with awareness training.
What to Look Out For
The typical W-2 phishing email is spoofed to look like it is from a high-level executive and asks the employee to provide W-2 or other tax-related information either by replying to the phishing email, by sending the information to another email address, or to upload it to a server owned by the bad guys.
In many instances, the request for the information comes with a high sense of urgency, which compels the employee to act quickly. Plus, the appearance of the emails are designed to be replicas of legitimate emails from the executive and often contain the actual signature block.
Urgency coupled with the appearance of authenticity often cause the recipient to act without second thought.
How to Keep Your Employees from Falling for W-2 Scams
Warn your employees to "Think Before They Click" and to follow proper procedure—especially when the email contains a strange request and appears to be from the CEO.
Inoculate Your Employees With Security Awareness Training
EDTS provides simulated phishing and online security awareness training to businesses seeking to bolster their security through employee education. If you’re already a Security Awareness Training customer, you have access to ready-to-send W-2 phishing templates similar to the one below to train employees with access to employee W-2 information.
If Your Company Receives a W-2 Phishing Email
Do: Forward the email to email@example.com and place “W2 Scam” in the subject line
Don’t: Reply or forward the email to other employees or executives
Organizations that receive the scams or fall victim to them should file a complaint with the Internet Crime Complaint Center (IC3,) operated by the FBI.
Employees whose Forms W-2 have been stolen should review the recommended actions by the Federal Trade Commission at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft.
Employees should file a Form 14039 (PDF) Identity Theft Affidavit, if the employee’s own tax return rejects because of a duplicate Social Security number or if instructed to do so by the IRS. As a rule of thumb, file your taxes quickly.
Interested in preparing your employees for sophisticated phishing attempts? Email us and ask us about a demo of our simulated phishing tool.