A large portion of the data breaches that occur each year involve human resource related information. Bryan Cave has put together a multi-part series to help human resource managers understand, prepare for, and react to, a data breach.

This part discusses a specific type of data security breach that impacts employers each year – tax and W2 theft.

Tax returns and W-2s are information rich documents that contain the name and Social Security Number of an employee, as well as information concerning their salary and address, and personal behavior and characteristics (e.g., the charities that they support, their sources of income, their investments, and their relationships with financial institutions). Each year cyber-attackers target these documents to sell sensitive information contained in the file. Other attackers may attempt to use tax documents (e.g., an employee’s W-2) to submit a fraudulent income tax return in the hope of defrauding the IRS into sending funds for a false tax refund.

There are many methods by which attackers attempt to obtain tax information, including obtaining tax documents from employers. For example, in 2016, IRS Commissioner Kohn Koskinen highlighted spear phishing attempts against human resource departments: “This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments,” said IRS Commissioner John Koskinen. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”

Employers should consider taking the following steps to help prevent a data breach of your employee tax records:

  1. If you receive a request from a company executive to email large quantities of employee information, verify that request by telephone before responding.
  2. If the request appears legitimate, consider transmitting the data using a secure connection and not by email.
  3. If you need to transmit tax information by email, encrypt the document before sending it.
  4. Never use a formulaic or easy-to-guess password for an encrypted file (e.g. employee's last name).
  5. Do not publicly post any information that your employees may need to access their tax information online.
  6. Track the rate of tax fraud reported to your Human Resource department each year. If the quantity of tax reported fraud is significantly greater this year than it was in previous years, consider investigating whether data may have been breached.
  7. If you have fallen victim to email phishing, talk to your attorney about whether you are required to notify your employees and whether it makes sense to provide employees with credit monitoring services.

TIP: Data breaches involving tax information have increased dramatically over the past few years. Most of the attacks involve tricking your employees through social engineering. Training employees to be mindful of attempts to gain employee information around tax season, and drilling home basic security hygiene are the best ways to help prevent this type of data breach.