The IRS is reporting a significant uptick in executive-level email attacks that result in W-2s being released to scam artists. The attack begins with a fake email from one of the organization’s top executives being sent to someone in human resources or general payroll, specifically requesting employees’ W-2s: “Bill, I want you to send me the 2016 W-2 information (pdf) of all of our employees for a quick review.” This brief email is then followed up with a request from the same executive to initiate a wire transfer to a specific account. This is all it takes for an entire organization to be manipulated into providing each employee’s W-2 information, which can then be used to file fraudulent tax returns and carry out other identity-theft related crimes – on top of the original theft of the wire transfer funds!
Prevention starts with vigilant protocols that require certain steps to be taken when a request for sensitive information is received by an employee. Implementing ways to double- and triple-check such requests, periodic reminders to be on-guard, and giving recipients of these emails permission to immediately contact the person responsible for IT security are some steps to consider. Because email is used as a top means of internal communication within organizations, steps outside of the normal workflow should be encouraged, such as:
Establish a clear system for requesting sensitive information, such as W-2s. If these steps are not being followed, even by a top official, remind the sender about the process and insist on abiding by the chosen method.
Provide a direct channel to the person requesting the information either by phone or in person for follow-up confirmation. Also, consider requiring a second approval source, which can help combat against internal theft of company and employee information, even from top-level management. If it is discovered that company email may have been compromised, the IT personnel responsible for security should be immediately notified.
Establish a specific means to send or provide the information requested that is secure, such as an encrypted document or protected file sharing service.
Entrust someone with documenting and following up on the status of requests so that the company has a central repository to trace requests for protected information.
It is worth noting that the Internal Revenue Service Commissioner has commented that “this is one of the most dangerous email phishing scams we’ve seen in a long time.”
If you have been victimized by a W-2 scam, Wright Beamer can help you determine the state and federal notifications that must be provided to those impacted. Also, review the advice published by the IRS for your individual employee information that was compromised: https://www.irs.gov/individuals/identity-protection.