‘Tis the season to watch out for W-2 phishing scams

Earlier this month, the IRS sent out an urgent alert warning to employers that this W-2 phishing scam had spread beyond the corporate world to other sectors, including school districts, tribal organizations and nonprofits.

According to the IRS, this scam first appeared last year but is now circulating earlier in the tax season, and is hitting a wider variety of organizations.

When a company falls victim, the costs might not be limited to just paying for some identity theft protection and warning employees to file their taxes early to make sure that they’re the ones who get their tax refunds.

The information in these forms can be very valuable for all kinds of identity thieves, said Matt Cullina, CEO at CyberScout, which sponsored the survey.

As a result, employees have been filing class-action lawsuits against companies that failed to protect their information.

For example, San Francisco-based solar panel maker Sunrun is facing one such lawsuit after a payroll department employee sent tax documents to a criminal pretending to be the company’s CEO, according to reports published last month.

Over the past couple of years, there’s been a lot of media attention on the topic of tax return fraud.

And according to a survey CyberScout released this morning, the number of people worried about tax-related identity theft went up from 37 percent last year to 42 percent today.

Employee engagement and education is key to companies protecting themselves against the W-2 scam, said Cullina.

“Where we see most of the fraud happening is through social engineering,” he said. “The hacker impersonates the boss and sends an angry do-it-yesterday email to the HR department, “Send me everyone’s W-2 ASAP” — and they think they’re sending it to the boss, but if they look closely, the email address is slightly different and it’s a phishing scam.”

Fortunately, it’s an easy scam to stop.

“All the HR person has to do is send an email or text or phone call to the actual boss,” he said. “You can put 100 types of filters on your email systems, but the hacker will always stay one step ahead. The way to beat it is through training and engagement — make sure that all employees know that this is a big issue.”

And class-action lawsuits by angry employees isn’t the only potential bad consequence, he added.

For example, if salary data is released it could cause internal problems for a company or damage its public image, he said.

“We saw one situation recent with a small company with 100 employees,” he said. “I was on the phone with the CEO after the breach, and he was ready to fire the head of HR. He was worried that his salary data was going to be out there. it was more than just identity theft risk for him, but reputation risk.”

Meanwhile, the IRS itself has been making strides in battling tax return fraud. The number of people who filed affidavits saying that they were victims of identity theft fell 50 percent last year from 512,278 during the first nine months of 2015 to 237,750 in 2016, according to the IRS.

The IRS said that better cooperation with financial institutions, industry and states helped stop identity theft returns at a number of points in the process. This year, even more security measures will be rolled out, including more types of data collected, improved authentication mechanisms, and steps to ensure that refunds go to the right bank accounts instead of those belonging to criminals.

More on W-2 phishing scams:

• How to avoid falling for the W-2 phishing scam
• IRS makes tax refund scams harder but W-2 phishing attacks continue unabated
• Beware these 4 types of IRS scams
• More than 120,000 affected by W-2 Phishing scams this tax season