by John Farley and Emily Seick, Hub International
The W-2 phishing expedition is one of the fastest growing cyber scams today, and it’s especially relevant as the April 15 income tax filing deadline approaches.
Here’s how it works: Scammers pose via email as a senior company executive and request HR and Finance managers provide them copies of employee tax forms. Once a complete set is obtained, they sell it on the black market. Between $4 to $20 per form can be raked in by selling off the individual pieces of employee identity W-2s contain or using them to file tax returns and taking the refunds.
It’s trapped a surprising number of small business managers and the problem’s only escalating. Last year, W-2 phishing and malware incidents jumped 400 percent, the IRS reported. In 2015, the Federal Trade Commission said tax refund fraud had caused a 50 percent increase in consumer identity theft complaints.
Nine best practices can be put in place to help your small business and your employees avoid the risk of getting hooked:
1. Make multi-step verification your standard operating procedure.
A two-step or dual factor authentication process is recommended by the FBI for financial and sensitive requests involving employee data. The process could require two separate email requests or a combination of an email followed by a live phone call.
2. Train your people on signs that indicate when an email is fishy.
They tend to be a little off. The CEO’s address, for example, may have one letter different than it should be. Or there’s too much urgency: “I need all our W-2 forms immediately.” These emails also tend to be impersonal, without any sort of greeting or salutation – not something you’d expect from someone with whom you work regularly.
3. Set up a reporting procedure when possible scam emails are received.
The inclination is to just delete suspicious emails altogether. It’s better to steer them to your IT department for them to report, and a dedicated email address should be set up for that purpose.
4. Avoid public sharing on your website or social media pages information about your senior executives.
That includes their names, email addresses and hierarchy charts. That just feeds scammers information they need to bait their phishing hook.
5. Remind employees regularly before and during tax season of the risks of W-2 phishing schemes.
A limited number of staffers should have access to sensitive information like W-2 forms. You should also limit the circumstances under which such information can be shared.
6. Understand your W-2 clearinghouse or compliance management vendors and your contractual rights should a third party cause a data breach.
Their agreements may include a hold harmless clause or limit their liability to the cost of your contract if your information is breached under their watch. You’ll want to review and fix any issues before anything happens.
7. Encourage your employees to file their taxes early.
That makes it less likely that a hacker will get the jump on them, filing (and collecting the refund) on their behalf.
8. If you think your W-2s have been phished, notify the IRS immediately.
They’ll put a red flag on the account preventing a scammer from filing in the employee’s name. In another proactive move, some companies also monitor the dark web for employee and customer information.
9. Guard your firm before the fact with a cyber insurance policy.
The escalation of cyber crimes makes this critical. It covers a variety of needs, from hiring experts to help you recover from a cyber attack to lost income should a service outage occur. Commercial general liability and business operator policies won’t suffice.
The W-2 phishing scam is one of today’s most serious cyber crimes that can devastate any business, but especially a small one, which can find it a challenge to manage the costs to respond to a data breach. Affected employees must be notified, and state requirements may come into play as well. Plus, it could take years for employees to unravel what scammers have done with the IRS. Avoid the hacker’s net by being on guard and putting best practices in place now.
John Farley, Vice President and Cyber Risk Practice Leader at Hub International, has 23 years of experience in insurance and risk management. John is the internal lead resource for pre and post data breach services. John frequently speaks at cyber risk seminars and symposiums, and is an accomplished editorial contributor and thought leader on cyber risk management.
Emily Selck is the Cyber Liability Practice Leader for Hub International Midwest Limited’s Management and Professional Liability Group. She is responsible for developing and maintaining the Cyber Liability book of business, marketing, customer relationship management, and market relationships in the Chicago hub.