February 15, 2017

W-2 Phishing Scams Evolve for 2017

Fortalice was recently featured on a NBC Nightly News story (view the story here) on the growing number of scams involving employees’ personal information and W-2 tax forms.  Please read below for more information on how cybercriminals are targeting businesses, and five tips to guard you against these phishing scams.

With tax season in full swing, cybercriminals have increased their efforts to obtain employees’ personal information.  Cybercriminals are posing as company executives and sending phishing emails to payroll and human resource professionals.  The payroll and Human Resource (HR) professionals are instructed to supply employee information, including W-2 tax forms and Social Security numbers.  The criminals then use the personal information to file fraudulent tax returns to obtain refund money, among other methods to monetize the information.

The Internal Revenue Service (IRS) has reported on W-2 phishing scams on the corporate sector.  However, cybercriminals have broadened their attempts and are targeting nonprofits, school districts, restaurants, and hospitals.  Additionally, the phishing emails are sometimes accompanied by a request to wire funds, meaning a targeted organization could incur financial losses as well as sending out employees’ personal information.

Fortalice recommends alerting all staff members, particularly those in payroll or HR departments with access to employee and tax information, about these phishing attempts.  It is also a good time to revisit email security policies and phishing awareness to protect your organization and its employees.  This continued dialogue helps keep employees vigilant and aware of the latest attempts and methods used by scammers.

The IRS asks that your organization forward any W-2 scam email to phishing@irs.gov with “W2 Scam” in the subject line, as well as filing a complaint with the Federal Bureau of Investigation (FBI) Internet Crime Complain Center.  The IRS also asks that employees whose W-2 forms have been stolen “review the recommended actions by the Federal Trade Commission at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft.”

Top Five Phishing Tips to Avoid W-2 Phishing Scams:


1. Beware of messages asking for lists of employees or social security numbers.  W-2 phishing attempts often appear to come from actual CEOs or other executive leadership.  Follow up with the source of the message to verify if it is a legitimate request, and if not, report the message to the IRS.

2. Require verification from a second person in your organization before releasing personal or confidential information.  Have a plan in place, to reduce the chance of success against criminals.

3. Phishing emails originate from outside of your organization.  The sender’s email address may look similar to your company, but it will not match exactly.  Check the address before responding.

4. IT departments may be able to use controls to limit or block spoofing or phishing attempts.  One potential option is a notification when a message comes from an external source.

5. Train employees for common characteristics of phishing emails.  Fortalice offers more information on phishing emails, and tools to guard against being tricked by scammers, at http://fortalicesolutions.com/phishing.




Photo by: Stocksnap.io Samson Duborg-Rankin