It’s that taxing time of the year.  Employees have received W-2 forms and the tax filing season has begun in earnest.  And, as night follows day, last year’s W-2 spear-phishing scam has returned.  The IRS and state tax authorities have issued a new alert  to HR and payroll departments to beware of phony emails intended to capture personal information of employees.   The emails generally appear to be from a senior executive (typically the CEO or CFO) to a company payroll office or HR employee and request a PDF or list of employee W-2 forms for the tax year.   Those forms contain all the information any cybercriminal needs to file a fraudulent tax return for a tax refund.   That scam cost the US taxpayer about $21 billon in 2016.  Over 70 companies fell victim to the 2016 scam and hundreds of thousands of employee records, including Social Security numbers, were compromised.

To refresh your memory, here are some of the details that may be contained in the emails:

• Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.

• Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).

• I want you to send me the list of W-2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

We’ve already seen some activity on this front being reported from around the country.  These incidents not only create angst for employees, but they constitute data breaches reportable under state law because personal information has been exposed to an unauthorized (and unknown) individual and the risk of identity theft is high.   Last year’s incidents also resulted in class action lawsuits by employees against some of the victimized companies.

Employees Are Front Line of Defense

These emails look absolutely legitimate.  That is what makes them so effective.  The header of the email may look exactly as one would expect, mirroring the company fonts, duplicating automated signature blocks, and containing the actual email address of the spoofed executive in the “From:” line. Often, the return email address won’t even be visible until after the reply is sent unless the user specifically expands the address field. If you look carefully, it is likely that the domain name is a few characters “off” from the company’s legitimate domain name, such as substituting the number one (1) for the letter “l” or replacing a “.org” with a “.com”.   The more sophisticated attacks may utilize information obtained from LinkedIn® or social media designed to lull the target into a false sense of trust.

Awareness of these attacks and the problem is the key for employees.   

Train employees — particularly HR and payroll employees — who handle sensitive information to be wary of direct requests for personal information from company executives.   Send out samples of such emails and establish a campaign to raise employee consciousness.  A bit of skepticism goes a long way in protecting against this type of attack.  Confirmation of this type of request should be standard operating procedure, no matter who appears to have sent it.   Your company’s IT department should also be monitoring for phishing trends and remaining on the alert for suspicious outgoing activity, including large files or attachments.

Ask.  Since we have already seen reports of these attacks very early in this tax year, it is time to check in and insure that your company has not already fallen victim.   It’s important to respond quickly to reduce total damage to the organization, and most importantly, to your employees.  Affected individuals can protect themselves with certain forms filed with the IRS – but it’s only effective if they know soon enough.