The W-2 phishing scams are back. Fraudsters have learned that W-2 phishing scams can be highly effective when targeting businesses while they are handling and sending employee income-tax-related documents early in a new year. Once fraudsters obtain the information on W-2 tax forms about employees from businesses, they quickly attempt to commit tax identity theft by filing fraudulent tax returns to obtain victims' refunds or to otherwise commit identity theft. Given that the Internal Revenue Service (IRS) is now accepting 2016 tax returns, we are seeing an increase in these W-2 phishing emails. Smaller and younger businesses, such as tech start-ups, can be particularly attractive to fraudsters since they are less likely to have formal policies and procedures in place for handling employee information.

What Is "Phishing"?

"Phishing" is a term used to describe someone sending an email impersonating a trusted business or person in an attempt to convince the email recipient to provide personal or financial information in a reply email, make payments to unauthorized individuals, click on a link or open an attachment that automatically installs malware on the recipient's computer, or otherwise further criminal activity. Sending a phishing email that is highly customized for a particular target recipient is called "spear phishing."

What Is the W-2 Phishing Scam?

The W-2 spear phishing scam is an attack where a fraudster impersonates a member of a business's senior management team and sends a phishing email targeting an employee at the business who is likely to have access to the W-2s for the business's employees. The phishing email typically contains a carefully worded request for the employee to reply with copies of all of the W-2 information for the business's employees. The sender will spoof the email header information so that it appears to come from senior management, but in fact any replies to the phishing email will be routed to the fraudster. The result is that employees may reply to the phishing email and thereby unintentionally send the requested W-2 information to someone outside of the organization.

What Can a Business Do to Protect Against the W-2 and Other Phishing Scams?

Businesses can take several steps to help their employees avoid phishing scams. Some examples include:

1. Put technical measures in place, such as installing email monitoring software to identify and block potential phishing emails from reaching employees in the first instance.
2. Implement administrative controls, such as a requirement for employees to obtain verbal confirmation from an email sender who requests (a) personal information, particularly when the request is for large amounts of such information, (b) a transfer of funds, or (c) other confidential or sensitive information.
3. Implement and educate employees about policies that prohibit senior management from requesting by email any personal, confidential, or sensitive information, and ban senior management from emailing instructions to employees to transfer funds.
4. Provide regular employee training about data security risks, such as phishing attacks, and increase general awareness of phishing attacks. For example, sending all employees early each year a reminder about W-2 phishing scams and posting information about phishing scams in a break room may help prevent employees from responding to one.
5. Instruct employees to be cautious when clicking on links and opening files in emails from unknown senders, or that otherwise look suspicious or seem unusual.

The Federal Trade Commission, IRS, and other government entities are educating businesses and consumers about tax identity theft awareness from January 30 to February 3. More information is available at https://www.ftc.gov/news-events/press-releases/2017/01/ftc-hosts-tax-identity-theft-awareness-week-jan-30-feb-3?utm_source=govdelivery. The FTC also has other resources to help educate people about phishing attacks, which are available at https://www.consumer.ftc.gov/articles/0003-phishing.

Wilson Sonsini helps clients handle all aspects of privacy and cybersecurity issues, including data breach response. For more information, please contact Tonia Klausner, Lydia Parnes, Chris Olsen, or another member of the firm's privacy and data protection practice.