This is a good time of year to remind employees to take precautions against W-2 phishing scams.
Hackers obtain employee W-2 Forms for filing fraudulent tax returns that seek big refunds. These phishing emails arrive typically around the time firms have issued W-2s to their employees.
“A W-2 email phishing scam can have a devastating impact on a business and its employees,” warn attorneys Mary Costigan and Joseph J. Lazzarotti of the Jackson Lewis law firm.
The way the scam works: An email message is sent to an HR or accounting department employee, presumably from a higher-up. Both the “To” and “From” email addresses are legitimate internal addresses, as are the sender and recipient names.
The fake email asks the employee to forward the company’s W-2 forms, or related tax data, to the sender. This request aligns with the job responsibilities of both the employee and the supposed internal sender.
The employee relies on the accuracy of the sender email address, coupled with the sender’s job title and role, and forwards the confidential W-2 information. The information actually ends up going to the criminal’s hidden email address.
“If successful, the cyber-criminal obtains a trove of sensitive employee data that can include names, addresses, salary information, social security numbers, as well as employer information needed for tax filings,” the attorneys explain.
The information is used to file fake individual tax returns to generate fraudulent tax refunds, or it’s sold on the Dark Web to identity thieves.
The attorneys remind employers that experts say the best defense is employee awareness. This includes ongoing security awareness training for all levels of employees, simulated phishing exercises, internal procedures for verifying transfers of sensitive information, and reducing the posting of personal information online.