Alert
Alert
02.21.17
As tax season looms, the IRS is once again warning that fraudsters are scamming companies, schools and nonprofits into handing over their employees’ W-2s to cybercriminals. The IRS recently issued a news release stating that the scam is on the rise and has evolved beyond the corporate world to other entities that may not have formal policies for sensitive data requests.
Here is how the scam works: A cybercriminal disguises, or “spoofs,” an email from an executive changing it in a subtle manner (Joe.Smith@abco.com becomes Joe.Smith@abcco.com) or by imbedding a hidden “reply-to” field so that any reply email goes to the cybercriminal’s account. The email contains an urgent request for employees’ Form W-2s along the lines of “Please send me a copy of the 2016 W-2s for all staff as soon as possible. I need this for a meeting in 45 minutes. Sorry for the short notice.” The staff person receiving the email quickly replies to the “executive’s” request attaching the files. Once the cybercriminal receives the W-2s, he can quickly file fraudulent tax returns requesting and obtaining the employees’ tax refunds and also sell the personally identifiable information (PII), such as Social Security Numbers.
Using Stolen PII to File Fraudulent Tax Returns Is Not New
Twelve people were recently convicted or pled guilty in such a scam that ran between 2005 and 2012 and involved filing 12,000 false returns and receiving over $20 Million in refunds. The W-2 phishing email scam first appeared last year and created an administrative and public relations nightmare for numerous companies whose faithful employees were conned into giving up the company information. Now this scam is resulting in class action litigation. Divulging PII in response to one of these scams can lead to complaints that the company took inadequate steps to safeguard such data and provided inadequate notice of the data breach. Within the past year, numerous class action complaints have been filed against employers victimized by the scam. In one such case, the class action was brought on behalf of employees and their spouses, who alleged that employees’ family members’ social security numbers were also disclosed. Plaintiffs and the classes they purport to represent typically seek actual and punitive damages, injunctive relief, and attorneys’ fees.
In order to guard against such phishing schemes and to deter the follow on class action, there are some concrete steps that all organizations can take.
Preventative Actions
Recommended Actions if You Receive a W-2 Phishing Email
Recommended Actions if You Have Mistakenly Provided Information in Response to a W-2 Phishing Email