With the tax filing deadline extended to July 15th this year, it’s going to be a long tax season! While you and many of your employees are hoping for a hefty refund, many cyber criminals are excited about the extended time to run W-2 phishing tax scams. Even with the extended tax deadline, many organizations and individuals are still filing their taxes now – especially those that anticipate a refund.

Imagine if you settle in with your tax documents and go through the work of filing, only to discover that your return has already been filed with the IRS. You discover that you were the victim of W-2 fraud and your mind is flooded with questions. How did this happen? Why did it happen to you? Who else in your company was impacted by this event? How can I better protect my business and prevent unauthorized access to my employees’ personal information? We are going to answer these questions and give you the insight you’re looking for to help prevent phishing tax scams during this year’s extended tax season.

Why would a criminal want my W-2 or my employees’ W-2s? 

Phishing tax scams are popular because W-2s contain so much personal data, it’s all a cybercriminal needs in order to commit identity fraud and steal your refund. Information on W-2s such as your social security number, full name, and address, can also be used to open credit lines, take out loans, etc. This information is also valuable enough that it can be sold on the dark web, causing your identity to be further vulnerable to other criminals.

How were they able to obtain these W-2s?

Criminals are able to get W-2s through various means including phishing, targeted social engineering, or purchasing them from the dark web. An example of obtaining W-2s through phishing involves a cybercriminal impersonating a high-level employee (such as a CEO or head of HR) by email and stating that they urgently need the W-2s of every employee in the organization. These phishing tax scams typically target lower-level employees that have access to these records, such as a finance clerk. In their eagerness to help, they comply with the request without giving it much thought or scrutiny. The criminal will then use the acquired W-2s to file a return with a maximized refund, then create a new bank account using the stolen identity and have the refund electronically deposited into this new account. The criminal then withdraws the funds, closes the account, and successfully walks away with the money.

What are some ways that criminals may spoof an email?

There are many parts of an email that may be spoofed to look as though it comes from a legitimate sender, which is why phishing tax scams are such a popular method of attack. The ‘From’ address may be faked to look as if it’s the address of the actual CEO of the company. In that same vein, the ‘From’ name can also be spoofed to read exactly as the name of the CEO or head of HR. Another area to look at is the domain of the “From” address, where a single small detail is changed to resemble the company’s actual domain closely enough that it doesn’t raise suspicion. An example of this would be a domain listed as examp1e.com, where example.com is the company’s actual domain. It is also possible for a cybercriminal to be able to hack a real employee or executive’s email account, enabling them to send an email that is legitimately from that account, despite the request itself being illegitimate.

What can businesses do to protect against this type of tax scam? 

As with many threats, detection and prevention is key. Your company’s own policies and procedures, as well as ample training, are the best defense against this type of phishing tax scam or other phishing attacks.

  • Ensure that employees are trained on appropriate levels of skepticism when opening emails, particularly those that contain links or are unusually urgent in nature.
  • Implement training procedures that cover checking the “From” address and “Reply-to” address in emails that employees receive and ensure that employees are familiar and comfortable looking for abnormalities in their email correspondence.
  • Teach employees to look for irregular or suspicious requests for information, such as requests for W-2s or other Personally Identifiable Information (PII). If they think an email seems even a little unusual, have them text or call the sender to confirm the request.
  • Implement preventative measures. Provide a written policy that lists all types of sensitive data, with clearly defined policies on how, when and to whom the data can be distributed. It’s also helpful to identify high-risk employees and processes. Do you have interns who have access to highly sensitive information, who may not have received as much training as a full-time team member? Ensure thorough training and documentation so that every employee is on the same page regarding PII and dissemination of information, regardless of their status. For a quick and free, interactive micro-learning experience, BrightWise has a test that assesses your ability to spot spoofed links, then shows you how to tell if a link is “phishy.” For more prevention strategies, read our blog on how to train users to avoid phishing.

What should be done if an employee receives a suspicious email? 

If an employee receives an email that they suspect may be a phishing attempt, they should not click any links or take any requested actions until they confirm the validity of the email. This can include out-of-band authentication, which means contacting the sender in a form other than email, such as a phone call, to verify that they sent it and are actually in need of the PII in question. You can also set up a code word ahead of time that coworkers must use before being able to obtain sensitive information. One other option is to have an employee Help Line, which is an easy-to-remember phone number that employees can call to verify the validity of a request, particularly if the request is marked as being urgent or requires immediate action. Most importantly, if an employee fears they may have been a victim of phishing, they must act quickly and notify their supervisor immediately, so appropriate steps can be taken in response.

Living in a world where so much of our data is in the hands of technology, it’s important to practice extra diligence in ensuring that our personal information, and the personal information of those we work with, is held as safely and securely as possible. By following these tips, you can help ensure that you and your employees are protected against W-2 tax scams, and that those eagerly anticipated refunds are delivered into the right hands.