Here are 8 best practices to halt W-2 fraud

As the April 15 IRS filing deadline approaches, cyber criminals have found more ways to cash in on your employees’ personal data for profit.

As one of the fastest growing social engineering scams on the market today, hackers pose as a company CEO or key executive via email, requesting copies of employee tax forms. Once they’ve garnered the complete set of W-2s, they quickly turn it into cold hard cash by selling it on the black market, earning anywhere from $4 to $20 a form (credit card numbers earn just $1 to $4 each), selling off individual pieces of employee identity (read: SS numbers, employer ID, address, etc.) and more commonly, filing taxes and pocketing refunds.

Known as W-2 phishing, this scam has trapped a surprisingly growing number of HR and Finance department executives in the last few tax seasons who unknowingly forward the hacker their organization’s fleet of W-2 forms. Last tax season, the IRS saw a 400 percent surge in W-2 phishing and malware incidents, and in 2015, the Federal Trade Commission reported that tax refund fraud was responsible for a nearly 50 percent increase in consumer identity theft complaints.

The ensuing costs and repercussions for businesses and individuals alike can be devastating. Businesses must respond to the data breach by hiring a privacy attorney, notifying affected employees and complying with state requirements based on where their employees reside. Individuals will have to iron out the details with the IRS, which could take several years to unravel.

Here are 8 Best Practices to help your business and your employees prevent W-2 phishing and other tax fraud:

  1. Instituting multi-step verification. The FBI urges businesses to adopt a two-step or dual-factor authentication process for financial and sensitive employee data requests. This could mean requiring two separate email requests or an email followed by a live phone call before W-2s are sent out.
  2. Training employees to recognize phishing scams. While an email may look like it came from the CEO, phishing emails are typically “off.” When it comes to the CEO’s address, for example, one letter may be different, a lowercase “l” replaced by an “i,” etc. Secondly, the email’s urgency is typically overexpressed: “I need all the company’s W-2 forms immediately.” Finally, for someone who you have a decent amount of regular interaction, the email is impersonal, often lacking a salutation or greeting. Training employees to be sensitive to these details is key.
  3. Establishing an avenue for reporting. Even when an employee recognizes the email as phishing, they often don’t know how to report it, so they just delete it all together. Establish a dedicated email address that goes to the IT department where employees can report a phishing email.
  4. Don’t post key executives’ names, email addresses or a hierarchy chart. By posting hierarchal charts along with C-suite contact information on your website or social media pages, you could be feeding fraudsters just what they need to set up a social engineering scam.
  5. Keeping employees on their toes. Send out regular reminders before and during tax season and limit the amount of staff members that have access to sensitive information, like W-2 forms, and/or under what circumstances they are allowed to share them.
  6. Understanding who your vendors are. Because most companies outsource their W-2s and other sensitive employee information to a W-2 clearinghouse or compliance management company, it’s important to review your vendor contracts to determine what rights you have for indemnification or recovery of information should a third party be the cause of your data breach. Often vendor agreements include a hold harmless clause or limit their liability to the cost of your contract, should your information be breached on their clock.
  7. Filing early. Urge employees to file their taxes early. The earlier they are filed, the less likely a hacker is to file on their behalf successfully. Victims most often learn of a tax fraud crime against them when their returns are rejected because someone beat them to the punch.
  8. Being proactive. If you suspect your W-2s have been stolen, notify the IRS so they can put a red flag on affected accounts. This red flag will prevent a fraudster from filing a tax return in the employee’s name. Additionally, some companies are doing proactive searches on the dark web to see if any of their employee or customer information is out there currently.

Make sure you’re protected with cyber insurance

While you can’t prevent tax fraud entirely, you can make sure you’re covered should it happen to you. A cyber insurance policy will get resources moving in the right direction with a single phone call. Just by calling your HUB broker, we’ll get you connected to an experienced privacy attorney immediately, and together we’ll help you navigate through multiple state notification requirements and credit monitoring for your employees. Your HUB cyber insurance policy covers it all.  

Contact your HUB broker for more information on the best cyber insurance policy for your business and its risks.