Businesses need to watch out for the resurgence of a W-2 based cyber scam that targets business and other employers during tax season.
The scam consists of a fake email sent to an HR or accounting department employee, presumably from an executive or “higher-up” within the organization. The email addresses are in fact legitimate internal addresses, as are the “sender” and recipient names.
The fake email asks the employee to forward the company’s W-2 forms, or related tax data, to the “sender.” The employee relies on the accuracy of the sender email address, coupled with the sender’s job title and role, and forwards the confidential W-2 information, which goes to a hidden email address.
If successful, the cyber-criminal obtains a trove of sensitive employee data that can include names, dates of birth, addresses, salary information, social security numbers, as well as other employer information needed for tax filings.
The information is then used to file fake individual tax returns to generate fraudulent tax refunds or is sold on the dark Web to identity thieves.
Firewalls, Web filters, malware scans or other security software help, but experts agree the best defense is employee awareness, says attorney Joseph Lazzarotti of the Jackson Lewis law firm.
This includes ongoing security awareness training, simulated phishing exercises, internal procedures for verifying transfers of sensitive information, and reduced posting of personal information online.
If a phishing attempt is successful, Lazzarotti says the employer should investigate the nature and scope of the attack, and ensure that the attackers are not still present in your systems.
Such employers also should determine whether state law requires notification to individuals and state agencies, and help employees who have questions about rectifying their tax returns, he advises.
Also, report the incident to the FBI’s Internet Crime Complaint Center and the IRS at firstname.lastname@example.org.