Last year, many businesses suffered data breaches during tax season when their employees divulged other employees’ W-2 information (including Social Security numbers) to criminals. Sadly, we are starting to receive reports that the criminals are back at it this year. Take action now to avoid being victimized and protect your employees’ data.  

Here’s what happens: between January 1 and April 18, an employee with access to payroll data receives an email from the company’s CEO or CFO asking for W-2 information so he or she can help prepare W-2s for employees. The well-meaning employee drops what he or she is doing and promptly emails the CEO or CFO the W-2 information. Often, the information is transmitted by email in an Excel spreadsheet or Word document and contains the W-2 information for all the company’s employees. The problem?  The real CEO or CFO did not send the email.  Instead, the email came from a criminal who manufactured an email that looked like it was coming from the CEO or CFO. So the email containing all the employees’ W-2 information goes to the criminal, not the CEO or CFO.  The criminal promptly proceeds to file fraudulent tax returns with the IRS and receives tax refunds.

The result is a data breach that, in most jurisdictions, triggers a reporting obligation. Furthermore, your employees must now take additional steps—such as filing an Identity Theft Affidavit with the IRS—to protect their identity, and they may have a very significant delay in receiving their tax refund.

This scam was so prevalent (and successful) last year that the IRS issued an alert on the topic. As the IRS reported, this was “part of [a] surge in phishing emails” and the scam claimed “several victims as payroll data including Forms W-2 that contain Social Security numbers and other personally identifiable information [were mistakenly emailed] to cybercriminals posing as company executives.”

Falling victim to this scam can be devastating for companies who are victimized: the costs incurred in responding can be significant, and they feel terrible for creating potential problems for their employees.

So we are writing to encourage you to take action—NOW—to prevent this from happening to your company. What can you do? There are several simple things you can do—starting today—including:

  1. Controlling access to payroll data and other sensitive data. Only those people in your company who absolutely need to have access to that data should be able to access it.
  2. Requiring a second step to authenticate requests for sensitive data before it can be released. For example, if an employee receives an email from the CEO or CFO asking for W-2 information, that employee must call (or talk to in person) the person requesting the information before releasing it.
  3. Spreading the word, and encouraging a “better-safe-than-sorry” approach to data security. Make your employees aware of these types of scams so a “red flag” goes up in their minds when they receive an email that might seem odd. And encourage them to ask questions or seek help if something does not seem right.

Taking these steps will greatly decrease your odds of falling victim to this scam.

But we realize that accidents will happen, even with great planning. If your company suffers a breach or potential breach, please give us a call. We have a data security team that has helped many companies navigate how to respond and recover. Or if you have questions about how to help prevent breaches, or reduce the impact of breaches, before they occur, we would be happy to talk to you about that as well.