According to the IRS, a new phishing scheme is on the rise that targets employee W-2 forms and related records. As part of the scheme, a fake email purportedly from the CEO or another company executive is typically sent to a payroll or HR professional requesting employee W-2 forms and/or other tax-related information pertaining to company employees. The email, according to the IRS, may request that the recipient "kindly send the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review," or by some other verbiage convey an immediate need by the CEO or other company executive for such data.

Rather than protest or question the presumed CEO, the recipient of the email may innocently provide the requested W-2 forms and other confidential information. The IRS indicates that the scheme has already claimed several corporate victims.

It is widely reported that the bad actors behind these attacks may be using the W-2 forms to steal employee tax refunds. Indeed, the IRS is warning taxpayers that if a person e-files a tax return and discovers that a return has already been filed using that person's Social Security number, or if the IRS sends the person a letter saying that it has identified a suspicious return using the person's Social Security number, he or she should visit the IRS's identity theft web page and follow the IRS's instructions.

What to Do?

An effective strategy to mitigate the risk of this and other phishing schemes should focus on the organization's people, processes and controls, and technology.

First, focus on educating employees about the risks posed by phishing schemes and similar threats. Such training should review a variety of cybersecurity threats and best practices. A security-focused corporate culture will reduce the risk that companies are victimized.

Second, focus on internal policies and controls related to information governance practices. Corporate policy should prevent the dissemination of employees' confidential information, including W-2 forms and other tax-related information, outside of an approved protocol that does not allow circulation by informal email (either at all or without further verification as to the authenticity of the information request).

Additionally, Stroz Friedberg, a global leader in investigations, intelligence, and risk management, advises that companies consider taking one or more of the following technical steps:

  • Spam Filtering: Enable or install spam filtering functionality on email servers. Spam filtering increases employee efficiency by eliminating useless emails and reducing email traffic. Spam filtering also plays an important role in cybersecurity by preventing many phishing or other malicious emails from arriving in employee inboxes.
  • DLP: Install a data loss prevention ("DLP") solution to monitor and control network and email traffic. DLP solutions allow corporations to monitor, alert on, block, and encrypt the transmission of certain types of data, such as Social Security and credit card numbers.
  • Secure Transmission: Limit the ability to transmit Social Security numbers and certain other confidential identifiers or data via regular email transmission. Transmission limits can be obtained through the use of DLP solutions, other programs or applications, or corporate policy. Where companies are unwilling or unable to address the issue through a technical solution, a corporate policy barring standard email transmission of certain types of sensitive data can reduce certain cyber risks, including those associated with phishing schemes.
  • Subject Line Configuration: Configure the email server to include a note such as "Outside Sender" in the subject line of any email received from someone outside of the company. Phishing schemes often involve an attempt by the attacker to trick email recipients into believing that they have received a trusted email from another internal company employee. An employee who receives an email with a subject-line note "Outside Sender," but purporting to be from an internal colleague, can more easily recognize a possible phishing attempt.

The tax-related phishing scheme identified by the IRS is another in a recent spate of events bringing increased scrutiny to corporate privacy and data security practices. In addition to the recommendations outlined above, companies should reassess enterprise-wide privacy and data security policies and procedures to ensure that data are adequately protected and that companies are satisfying all applicable privacy and data security compliance obligations.

Chad M. Pinson, Managing Director of Stroz Friedberg, and Frances M. Parker, an associate in Jones Day's Atlanta Office, contributed to this Alert.