Dykema’s Privacy and Data Security Group has seen a significant rise in the number of phishing scams in the past month targeting a company’s W-2 information for their employees. This tax season, the threat has expanded beyond typical for-profit organizations and is now targeting schools, restaurants, hospitals and other nonprofit organizations. One study found that more than 29,000 employees were affected by these scams in just the first month of this year. In fact, the scam is so widespread that the IRS issued a warning to all employees early in February 2017.

"This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme," said IRS Commissioner John Koskinen.

The good news is that there are steps organizations can take now to help avoid a costly data breach later.

What is the Scam?

In terms of sophistication, this scam tends to be relatively simple. The fraudsters send a fake email which appears to be coming from a high-level employee of the organization, many times the CEO or CFO. Often, the email says that there is an urgent need for this information. The email directs the employee to send the W-2 information from a company's payroll or human resources departments. The fraudsters may also ask for additional information including an earnings summary for employees, Social Security Numbers, home addresses, or other information. Once in the hands of the fraudsters, they use this information to file fraudulent tax returns and get bogus tax returns.

How Can You Avoid the Scam?

As a rule, you should never transmit W-2 or other sensitive employee/contractor personal information in unencrypted format, even on an internal basis. Even basic Excel spreadsheets can (and should) be password protected, and do not include the password in the email with the information itself.

There are also a number of additional steps that an organization can take now to help avoid the scam.

  1. Work with your organization’s internal or external information security personnel to ensure that your cybersecurity measures are up to date so that they can intercept the emails before they penetrate the organization.
  2. Specifically identify the threat to your employees and take the opportunity to do another round of education about privacy and cybersecurity.
  3. Run your own internal phishing expedition to ensure that people are getting the message and identify people who might need additional coaching. When doing so, ensure that counsel is involved to protect the results of your work with the attorney-client privilege.

We Have Been Hit, Now What?

  1. Implement your Data Breach Response Plan immediately.
  2. Engage experienced data breach counsel to minimize the risk of more expensive litigation and regulatory enforcement actions down the road.
  3. Identify and isolate the breach as soon as possible. What information was stolen, who was affected and where did it go? Ensure that the fraudsters are not still in your systems by turning to experienced data breach information security professionals. They can also help you safely preserve all evidence of the data breach.
  4. Once you understand the scope of the breach, determine whether you need to send notification letters to employees or governmental agencies or credit monitoring services for affected employees. The rules regarding breach notification vary by state, so for larger data breaches, this is a state-by-state analysis.
  5. Organizations should also consider sending notifications to their insurance carriers and law enforcement.
  6. Identify potential litigation and regulatory enforcement risks.
  7. Once the breach has passed, undertake remediation measures and identify lessons learned to avoid the attack again in the future.