The W-2 phishing scams are back. Fraudsters have learned that W-2 phishing scams can be highly effective when targeting businesses while they are handling and sending employee income-tax-related documents early in a new year. Once fraudsters obtain the information on W-2 tax forms about employees from businesses, they quickly attempt to commit tax identity theft by filing fraudulent tax returns to obtain victims' refunds or to otherwise commit identity theft. Given that the Internal Revenue Service (IRS) is now accepting 2016 tax returns, we are seeing an increase in these W-2 phishing emails. Smaller and younger businesses, such as tech start-ups, can be particularly attractive to fraudsters since they are less likely to have formal policies and procedures in place for handling employee information.
What Is "Phishing"?
"Phishing" is a term used to describe someone sending an email impersonating a trusted business or person in an attempt to convince the email recipient to provide personal or financial information in a reply email, make payments to unauthorized individuals, click on a link or open an attachment that automatically installs malware on the recipient's computer, or otherwise further criminal activity. Sending a phishing email that is highly customized for a particular target recipient is called "spear phishing."
What Is the W-2 Phishing Scam?
The W-2 spear phishing scam is an attack where a fraudster impersonates a member of a business's senior management team and sends a phishing email targeting an employee at the business who is likely to have access to the W-2s for the business's employees. The phishing email typically contains a carefully worded request for the employee to reply with copies of all of the W-2 information for the business's employees. The sender will spoof the email header information so that it appears to come from senior management, but in fact any replies to the phishing email will be routed to the fraudster. The result is that employees may reply to the phishing email and thereby unintentionally send the requested W-2 information to someone outside of the organization.
What Can a Business Do to Protect Against the W-2 and Other Phishing Scams?
Businesses can take several steps to help their employees avoid phishing scams. Some examples include:
The Federal Trade Commission, IRS, and other government entities are educating businesses and consumers about tax identity theft awareness from January 30 to February 3. More information is available at https://www.ftc.gov/news-events/press-releases/2017/01/ftc-hosts-tax-identity-theft-awareness-week-jan-30-feb-3?utm_source=govdelivery. The FTC also has other resources to help educate people about phishing attacks, which are available at https://www.consumer.ftc.gov/articles/0003-phishing.
Wilson Sonsini helps clients handle all aspects of privacy and cybersecurity issues, including data breach response. For more information, please contact Tonia Klausner, Lydia Parnes, Chris Olsen, or another member of the firm's privacy and data protection practice.