• W-2 phishing scams are on the rise, and any organization with employees is a potential target.
  • Falling prey to the scam can lead to class actions from employees and their family members whose personally identifying information is disclosed.
  • There are preventative measures that can be taken to reduce the likelihood that a data breach will occur.

As tax season looms, the IRS is once again warning that fraudsters are scamming companies, schools and nonprofits into handing over their employees’ W-2s to cybercriminals. The IRS recently issued a news release stating that the scam is on the rise and has evolved beyond the corporate world to other entities that may not have formal policies for sensitive data requests.

Here is how the scam works: A cybercriminal disguises, or “spoofs,” an email from an executive changing it in a subtle manner ([email protected] becomes [email protected]) or by imbedding a hidden “reply-to” field so that any reply email goes to the cybercriminal’s account. The email contains an urgent request for employees’ Form W-2s along the lines of “Please send me a copy of the 2016 W-2s for all staff as soon as possible. I need this for a meeting in 45 minutes. Sorry for the short notice.” The staff person receiving the email quickly replies to the “executive’s” request attaching the files. Once the cybercriminal receives the W-2s, he can quickly file fraudulent tax returns requesting and obtaining the employees’ tax refunds and also sell the personally identifiable information (PII), such as Social Security Numbers.

Using Stolen PII to File Fraudulent Tax Returns Is Not New

Twelve people were recently convicted or pled guilty in such a scam that ran between 2005 and 2012 and involved filing 12,000 false returns and receiving over $20 Million in refunds. The W-2 phishing email scam first appeared last year and created an administrative and public relations nightmare for numerous companies whose faithful employees were conned into giving up the company information. Now this scam is resulting in class action litigation. Divulging PII in response to one of these scams can lead to complaints that the company took inadequate steps to safeguard such data and provided inadequate notice of the data breach. Within the past year, numerous class action complaints have been filed against employers victimized by the scam. In one such case, the class action was brought on behalf of employees and their spouses, who alleged that employees’ family members’ social security numbers were also disclosed. Plaintiffs and the classes they purport to represent typically seek actual and punitive damages, injunctive relief, and attorneys’ fees.

In order to guard against such phishing schemes and to deter the follow on class action, there are some concrete steps that all organizations can take.

Preventative Actions

  1. Train your payroll, finance and human resource employees about this scam in particular, and phishing emails, in general.
  2. Implement or update email security software that protects against phishing emails, including alerts that notify the sender when an email is about to be sent to a recipient outside the organization and software that requires a particular process when PII, such as Social Security Numbers, are included in an email.
  3. Create an internal policy for protecting sensitive PII like Social Security Numbers and procedures for securely transferring such information or documents containing the information. This should include forbidding the transfer of Social Security Numbers by unencrypted email. (If the employee receiving the spoofed scam email had simply printed the W-2s and walked them to the executive’s office the scam would have failed.)
  4. Create a two-step authentication process for all requests for PII, including verbal confirmation with the person making the request.
  5. Review and update (or implement) your Incident Response Plan and re-train your employees on security procedures, identifying security incidents and escalating potential data security incidents.

Recommended Actions if You Receive a W-2 Phishing Email

  1. Forward the email to the IRS at [email protected] and place “W2 Scam” in the subject line.
  2. File a complaint with the Internet Crime Complaint Center, operated by the Federal Bureau of Investigation.

Recommended Actions if You Have Mistakenly Provided Information in Response to a W-2 Phishing Email

  1. Notify all affected individuals pursuant to notification requirements required by your state, and if applicable, by the federal government.
  2. Immediately provide affected employees with a Form 14039, Identity Theft Affidavit, and instruct them to send it to the IRS as soon as possible.
  3. Notify the IRS and file a complaint with the FBI as noted above.
  4. Review, update or implement measures to detect and defer phishing emails and data security incidents.