A growing number of businesses have been victimized by W-2 phishing scams. In a traditional phishing scam, a criminal tricks someone into providing confidential information, and then uses it to steal money and/or the victim’s identity. The W-2 phishing scam is a variation on this.
How it works
In a W-2 phishing scam, cybercriminals send emails to a company’s employees — typically in payroll, benefits or human resources departments — that claim to be from the company’s management. The emails request a list of employees along with their W-2 forms, Social Security numbers or other confidential data.
Here are some examples straight from the IRS:
“Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
“Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).”
If the employee responds, criminals can use this information to file fraudulent tax returns in the employees’ names, seeking refunds.
The scam is particularly nefarious because the employees it targets probably believe that, in complying with the emailed instructions, they’re doing exactly what they’re supposed to. Moreover, at first glance, the emails typically appear legitimate. Many contain the company’s logo and the name of an actual executive, typically gleaned from publicly available information.
The increasing number of such scams prompted the IRS to issue an alert in 2016: “IRS Alerts Payroll and HR Professionals to Phishing Scheme Involving W-2s.”
Education is key
While these scams have become more prevalent, businesses can take steps to reduce their risk. Because the scams target humans, rather than the technology itself, education is key. Inform all employees, and particularly those in areas that handle sensitive data, of the scams. Remind them not to click on links or download attachments from emails that were unsolicited or sent by those they don’t know.
Employees often are nervous about questioning a request that appears to come from upper management, so encourage employees to double-check any request for sensitive information, no matter who appears to be making it. They should do this not by responding to the email in question, but by talking with a trusted supervisor or colleague.
Don’t fall victim
Technology has a role to play as well. Install robust antivirus and spam filters and keep them updated. With sensible precautions, businesses can reduce the risk of falling victim to W-2 phishing scams.