Every year from January to April, there is a recurring con that targets companies and their employees: a hacker sends a request to a company’s HR or finance team posing as the CEO or another executive, asking for copies of employees’ W-2 forms. In many cases, the employee happily complies, only to be handing over personal tax information into a cyber criminal’s hands. Not surprisingly, that hacker will then go on to file taxes on behalf of those employees and collect their tax returns, to the tune of several billion dollars annually.
How Can This Happen?
Most of the information needed to pull off this W-2 fraud ruse is publicly available online. Social media profiles, press releases, and company staff web pages give hackers what they need to create a convincing fake email. Most will be written in a familiar but urgent tone so that the recipient will feel compelled to accommodate. Hackers are not discouraged by spending a few days emailing back and forth to get what they’re looking for, but once they have the W-2s, they will be looking to move quickly and file returns within a day.
Before This Happens… Acknowledge and Communicate
CEOs and executives should proactively discuss this threat with their human resources, accounting, and finance teams and determine the protocols for review of W-2s. Everyone involved should know exactly under what circumstances they might be asked for W-2 materials, if at all; by whom, when, and via what communication. Similar to techniques for mitigating funds transfer fraud, our suggestion is that any requests of W-2s should ideally be made in person or verified by two forms of communication. As with all email scams, be extremely wary of handing over sensitive or personal information and always double-check with your security, IT, or executive team.
Tip: the easiest way to begin this discussion? Forward this blog post to the team.
What to Do If You Fall Subject to a W-2 Fraud Attack
Reach out to your cyber insurance carrier response hotline as soon as possible. You’ll have access to attorneys, IT forensic professionals, and identity theft experts, who will try to prevent any fraudulent tax filings using the compromised information. Your carrier should also help you set up a call center, a plan for notifying employees, and credit monitoring very quickly—all of which are covered under your cyber insurance policy.
The IRS requests that you also email email@example.com to notify them of a W-2 data loss and provide contact information. In the subject line, type “W2 Data Loss” so that the email can be routed properly. Do not attach any employee personally identifiable information data.
If the fraudulent tax filings have already occurred and employees are suffering from tax fraud, the IRS provides guidance on how to resolve the issue and re-establish your identity. Additionally, victims of identity theft should place a credit freeze on their credit accounts with the three major credit bureaus: Experian, Equifax and Transunion. You can also file a complaint with the FTC at identitytheft.gov.
Cyber Liability Insurance Kicking In
Falling victim to this W-2 scam is considered a data breach. A well-brokered cyber policy will respond to the first-party data breach expenses, such as the cost of notifying employees, IT forensics, and identity theft experts, as well as any potential legal fallout from employee class-action suits, should they occur.