The tax season is upon us – and so is the tax fraud season. Nearly 20 percent of all federal tax return payments are sent to fraudsters.
In one common scam, a “spear phishing” email using the name of a company executive is sent to a human resources or payroll manager – asking the recipient to quickly send the W2 files on all employees. Since the request comes from someone in authority, the recipient is inclined to respond and provide the requested information. The scammers then use this information to quickly file for the employees’ tax refunds.
This particular scam exploits an employee’s natural trust in internal email and senior executives.
Last tax season, close to 70 companies fell victim to this scheme – including Sprouts Farmers Market, Snapchat, Seagate Technology, and Kentucky State University. There are likely hundreds more that were unreported. Some analysts have noted a particular focus by scammers on healthcare and senior living organizations.
How the Scammers Operate
First, scammers scrape popular forms of public data from sites like LinkedIn and Twitter to acquire the names and titles of company employees. The scammers then spoof, or fake, certain fields in the email. This scam relies on forging the “FROM:” field to display the CEO or CFO’s email. In reality, the email is from the scammer and has a hidden “REPLY-TO” field set to an address controlled by the attacker.
The schemes are so widespread that the IRS sent a notice last March to alert employers’ payroll departments of the spoofing emails. In this notice, the IRS indicated it had seen a 400 percent increase in phishing and computer malware incidents during the previous year’s tax-filing season. Unfortunately, there is no reason to believe that this trend will change during the current tax season.
The IRS has been unable to do much to mitigate these attacks. To file a tax return electronically, all someone needs is a name, date of birth, e-file PIN, and SSN. The IRS accepts tax filings as early as January 1, but employers are not required to submit correct employment information until March. By this time, roughly half of all refunds have been paid out – including fraudulent refunds. A real-time matching of forms would go far to thwart the scammers.
What Employers Need to Do
Sending this information to an unauthorized recipient constitutes a data breach – and the company must respond as it would with any other data breach. Even the most sophisticated cybersecurity measures are useless against a scam that relies on human error.
The key takeaway is clear. Anyone in a company with access to the collective W2 information on employees must never respond to email inquiries for such information without first verifying (ideally, in person) the authenticity of the request. Hopefully, putting the employees with access to such sensitive information on alert can mitigate a very simple yet harmful mistake.
Any detected W-2 spear-phishing attempts should be reported to the IRS at email@example.com.