As the April 15 IRS filing deadline approaches, cyber criminals have found more ways to cash in on your employees’ personal data for profit.
In one of the fastest growing social engineering scams on the market today, business email compromise (BEC) scams are carried out when legitimate business email accounts are compromised to conduct an unauthorized transfer of funds, or request employee W-2 forms.
Once they’ve garnered the W-2, they quickly turn it into cold hard cash by selling it on the black market, either by selling off individual pieces of employee identity (read: SS numbers, employer ID, address, etc.) or more commonly, filing taxes and pocketing refunds. Also known as W-2 phishing, this scam has trapped a surprisingly growing number of HR and Finance department executives in the last few tax seasons who unknowingly forward the hacker their organization’s fleet of W-2 forms.
According to the FBI, BEC scams continue to target small, medium, and large business and personal transactions, and have been reported in all 50 states. The FBI reported 41,058 domestic BEC incidents between October 2013 and May 2018, leading to $2.9B in losses.1
The ensuing costs and repercussions for businesses and individuals alike can be devastating. Businesses must respond to the data breach by hiring a privacy attorney, notifying affected employees and complying with state requirements based on where their employees reside. Individuals will have to iron out the details with the IRS, which could take several years to unravel.
Here are 8 Best Practices to help your business and your employees prevent BEC scams and W-2 phishing:
- Instituting multi-step verification. The FBI urges businesses to adopt a two-step or dual-factor authentication process for financial and sensitive employee data requests. This could mean requiring two separate email requests or an email followed by a live phone call before W-2s are sent out.
- Training employees to recognize phishing scams. While an email may look like it came from the CEO, phishing emails are typically “off.” When it comes to the CEO’s address, for example, one letter may be different, a lowercase “l” replaced by an “i,” etc. Secondly, the email’s urgency is typically overexpressed: “I need all the company’s W-2 forms immediately.” Finally, for someone who you have a decent amount of regular interaction, the email is impersonal, often lacking a salutation or greeting. Training employees to be sensitive to these details is key.
- Establishing an avenue for reporting. Even when an employee recognizes the email as phishing, they often don’t know how to report it, so they just delete it all together. Establish a dedicated email address that goes to the IT department where employees can report a phishing email.
- Don’t post key executives’ names, email addresses or a hierarchy chart. By posting hierarchal charts along with C-suite contact information on your website or social media pages, you could be feeding fraudsters just what they need to set up a social engineering scam.
- Keeping employees on their toes. Send out regular reminders before and during tax season and limit the amount of staff members that have access to sensitive information, like W-2 forms, and/or under what circumstances they are allowed to share them.
- Understanding who your vendors are. Because most companies outsource their W-2s and other sensitive employee information to a W-2 clearinghouse or compliance management company, it’s important to review your vendor contracts to determine what rights you have for indemnification or recovery of information should a third party be the cause of your data breach. Often vendor agreements include a hold harmless clause or limit their liability to the cost of your contract, should your information be breached on their clock.
- Filing early. Urge employees to file their taxes early. The earlier they are filed, the less likely a hacker is to file on their behalf successfully. Victims most often learn of a tax fraud crime against them when their returns are rejected because someone beat them to the punch.
- Being proactive. If you suspect your W-2s have been stolen, notify the IRS so they can put a red flag on affected accounts. This red flag will prevent a fraudster from filing a tax return in the employee’s name. Additionally, some companies are doing proactive searches on the dark web to see if any of their employee or customer information is out there currently.
Make sure you’re protected with cyber insurance
While you can’t prevent BEC scams including tax fraud entirely, you can make sure you’re covered should it happen to you. A cyber insurance policy will get resources moving in the right direction with a single phone call.
Contact your HUB broker for more information on the best cyber insurance policy for your business and its risks.