June 23, 2021

Volume XI, Number 174

Advertisement

June 23, 2021

Subscribe to Latest Legal News and Analysis

June 22, 2021

Subscribe to Latest Legal News and Analysis

June 21, 2021

Subscribe to Latest Legal News and Analysis

A Reminder for Employers About W-2 Phishing Scams

For the past several years, thousands of businesses have been hit with phishing scams during tax season. Through these social engineering scams, hackers obtain employee Forms W-2 for filing fraudulent tax returns seeking large refunds. These phishing emails are typically sent as clients begin the process of issuing W-2s to employees.  Often employers do not know the scam has occurred until it is too late. The consequences from a successful W-2 phishing scam can extend well beyond leaked data, and may include potential employee class action litigation.

With the tax season quickly approaching, it’s worth re-visiting W-2 phishing email scams and describing steps an employer can take to help avoid them. The cyber-scam consists of an e-mail sent to an HR or Accounting department employee, presumably from an executive or “higher-up” within the organization. Both the TO and FROM e-mail addresses are legitimate internal addresses, as are the “sender” and recipient names. The fake e-mail asks the employee to forward the company’s W-2 forms, or related tax data, to the “sender.” This request aligns with the job responsibilities of both the employee and the supposed internal “sender.” Despite its appearance, the e-mail is a fake. The scammer is “spoofing” the company executive’s identity. In other words, the cyber-criminal is assuming the executive’s identity and e-mail address for the purpose of sending what appears to be a legitimate request for sensitive company information. The unsuspecting employee relies on the accuracy of the sender e-mail address, coupled with the sender’s job title and role, and forwards the confidential W-2 information. The information goes to a hidden e-mail address controlled by the cyber-criminal.

If successful, the cyber-criminal obtains a trove of sensitive employee data that can include names, addresses, salary information, social security numbers, and well as employer information needed for tax filings. The information is used to file fake individual tax returns (Form 1040) which generate fraudulent tax refunds, or it is sold on the dark web to identity thieves.

This cyber-scam is form of ‘spear phishing’ known as business email compromise (BEC) attacks, or CEO spoofing. Spear phishing attacks target a specific victim by using personal or organizational information to earn the victim’s trust. The cyber-criminal uses information such as personal and work e-mail addresses, job titles and responsibilities, names of friends and colleagues, personal interests, etc. to lure the victim into providing sensitive or confidential information.  Quite often, the scammer culls this information from social media, LinkedIn, and corporate websites. The method is both convincing and highly successful.

While an organization can use firewalls, web filters, malware scans or other security software to hinder spear phishing, experts agree the best defense is employee awareness. This includes ongoing security awareness training for all levels of employees, simulated phishing exercises, internal procedures for verifying transfers of sensitive information, and reduced posting of personal information on-line.

In the event your business falls victim to a W-2 phishing scam, it will need to respond quickly. This may require (i) investigating the nature and scope of the attack, (ii) ensuring the attackers are no longer in the business’s systems, (iii) determining whether the business must notify  individuals and state agencies of the data loss under applicable state law, and extend ID theft and credit monitoring services, (iv) notifying the IRS of a W-2 data loss at dataloss@irs.gov, (v) reporting the phishing email to the IRS at phishing@irs.gov and the Internet Crime Complaint Center of the FBI, as well as state taxing authorities, and (vi) helping employees with any questions about rectifying  their tax returns.

A W-2 e-mail phishing scam can have a devastating impact on a business and its employees. This year presents increased challenges for employers trying to guard against these scams. Due primarily to vulnerabilities created by COVID-19, social engineering attacks designed to compromise employee accounts or credentials have proliferated. The FBI cautions that cyber criminals are trying to obtain employees’ credentials regardless of their position within the company. With tax season upon us, expect to see more creative attempts to bait your personnel.

Jackson Lewis P.C. © 2021National Law Review, Volume XI, Number 41
Advertisement
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement
Advertisement

About this Author

Mary Costigan, Jackson Lewis Law Firm, Privacy Attorney, Cybersecurity, New Jersey
Associate

Mary T. Costigan is an Associate in the Morristown, New Jersey, office of Jackson Lewis P.C. She holds a Certified Information Privacy Professional/US designation from the International Association of Privacy Professionals (iapp). Ms. Costigan advises multinational, national, and regional companies on emerging privacy and cybersecurity issues, including the broad and growing array of mandates, best practices, and preventive safeguards. In particular, she focuses on advising and assisting clients in matters relating to compliance with the General Data Protection Regulation (GDPR) and U.S....

973-451-6367
Principal

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm's Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and...

973- 538-6890
Advertisement
Advertisement