Protecting your company from W-2 phishing schemes
By Erin Walters, National Practice Advisor
As tax time rolls around, organizations of all sizes and their employees are warned to be on high alert for an increasingly prevalent email phishing scheme involving W-2 information. While the scheme itself is simple and quick, the impacts on employees’ lives from the resulting theft of their personal information can be devastating and long-lasting.
What it is
W-2 phishing is an emerging low-tech email scheme. It works like this:
- Cybercriminals pose as a company executive and send an email directly to a payroll or human resources professional requesting W-2 information on employees. This “spoofing” email will often contain the actual name of the company chief executive officer. An email may say something like, “Kindly send me the individual 2016 W-2s and earnings summary of all W-2s of our company staff for a quick review.”
- The scheme claims victims when an employee considers the email to be a legitimate request and mistakenly emails W-2 data to the cybercriminals. W-2 data includes a trove of sensitive information, including employees’ Social Security numbers, addresses, salary information, and other personally identifiable information.
- The cybercriminals operate on the assumption that, in the interest of being responsive to the executive and expedient in filling the request, the employee simply won’t take the time to verify the authenticity of the request.
The result is that fraudsters not only can steal employees’ identities, but can also file fraudulent tax returns for refunds. The fraud typically comes to light when the victims attempt to file their tax returns, only to have them rejected because the fraudsters have already filed false returns in their names.
While the federal government and states are implementing more stringent controls to analyze tax returns and ensure that fraudulent returns are flagged, the risk for fraud still exists. The identity theft impact can linger for years, and remediation is expensive and time-consuming for employees. They can’t simply cancel or change their stolen Social Security number like they can cancel and replace a stolen credit card.
While it can be easy to assume that most employees wouldn’t fall for this type of scheme, the growing incidence of this crime reveals otherwise. In early 2016, it was estimated that more than 50 companies across the U.S. Client Advisory: Protecting your company from W-2 phishing schemes fell victim to W-2 phishing schemes, including Moneytree, PerkinElmer, Seagate Technology, and Weight Watchers. The Internal Revenue Service issued an alert to payroll and human resources professionals to be aware of the emerging scheme, and it renewed a consumer alert on email phishing after seeing an approximate 400% surge in phishing and malware incidents during the 2015 tax season.1
According to the Federal Trade Commission’s Consumer Sentinel Network complaint database for law enforcement:
- Identity theft was the #2 complaint category in 2015, with 490,220 complaints, or 16% of the overall complaints. This represents an increase of more than 47% from 2014 on the back of a massive jump in complaints about tax identity theft from consumers.2
- Tax- or wage-related fraud was the most common form of reported identity theft at 45%, followed by credit card fraud at 16%.3
Best practices to help you avoid falling prey to W-2 schemes
- Ensure that your company executives communicate with all payroll, accounting, and human resources staff, and assure them that it's acceptable, and even expected, to question any and all requests for sensitive employee information such as W-2s.
- Ensure that all employees are trained to be on high alert for suspicious emails with requests of any type involving money or sensitive employee information.
- Ask your information technology partners if they can block spoofed emails or implement specifically designed spear phishing solutions.
- Always authenticate requests for employee information that are received by email or made outside your company's normal channels.
- If a request comes by email, fax, or mail, verify it with a phone call. If it comes by phone, verify it by email.
- Use contact information on file to verify the requestor. Never use the information that comes with the request. It's fraudulent, too.
- Prohibit executive requests for employee information made by email. Encourage staff to contact executives directly to verify requests.
- Require dual authorization for releasing sensitive employee information. The initiator and the approver must:
- Pay close attention to the request details — not just give them a rubber stamp.
- Authenticate the request before they initiate or before they approve to ensure that it's not fraudulent.
- File W-2s, W-3s, and 1099s as early as possible. Under the Protecting Americans from Tax Hikes (PATH) Act enacted in
December 2015, employers’ new filing deadline to submit forms W-2 is January 31. The earlier deadline is intended to help the IRS catch discrepancies between an employer’s official reporting forms and those submitted by cybercriminals in order to prevent the filing of fraudulent returns.
Fraud from a W-2 phishing scheme is often considered to fall under the umbrella of what is commonly called social engineering fraud, impostor fraud, or business email compromise fraud. It’s what the thieves are after that will determine where you look for coverage.
- If the cybercriminals steal money or securities, your organization would look to file a claim against its crime policy. A limited number of network security and privacy carriers may add a small sublimit related to this, so it’s important to check both policies and confirm that coverage is coordinated.
- If the cybercriminals steal information or data, your organization would look to file a claim against your network security and privacy liability policy.
Key questions to ask about your coverage include:
- Does your policy cover your liability in the event of theft of W-2 information or other sensitive employee information?
- Will your policy cover costs for sending notification to all impacted employees and providing them with identity monitoring services? For how long?
- Will your policy cover extra expenses that your employees and their dependents incur to hire tax attorneys to remediate tax fraud?
With strong employee education, proper controls, and comprehensive insurance in place, you can help ensure that your organization doesn’t become the latest victim.
How can we help?
Wells Fargo Insurance’s Technology, Privacy, and Network Security Practice group has knowledgeable and experienced brokers who focus on network security and privacy liability every day. They can help you understand your specific exposures and recommend the customized solutions that meet the needs of your business.
Wells Fargo Insurance clients also enjoy access to other training and guidance resources available from insurance carriers, as well as the eRiskHub®, a private, web-based portal that provides information and technical resources to assist in preparing for a network security or data privacy incident, and mitigating both the monetary and reputational impact associated with a breach.
For more information regarding this topic, please contact our Wells Fargo Insurance representative.
1. IRS Alerts Payroll and HR Professionals to Phishing Scheme Involving W-2s https://www.irs.gov/uac/newsroom/irs-alerts-payroll-and-hr-professionals-to-phishing-scheme-involving-w2s
2. FTC Releases Annual Summary of Consumer Complaints https://www.ftc.gov/news-events/press-releases/2016/03/ftc-releases-annual-summary-consumer-complaints
3. Consumer Sentinel Network Data Book for January – December 2015 https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-january-december-2015/160229csn-2015databook.pdf