W-2 phishing season is here…again

As the tax season gets underway, you can bet that cyber criminals are doing their tax preparations for W-2 phishing; they’re preparing to dupe hundreds of payroll and HR departments into providing W-2 data on their employees. These scams will inevitably lead to the filing of fraudulent tax returns, other identity theft cases and class-action lawsuits against companies that fell for the scams in the first place.

“The bad guys are starting their tax scams early this season!” warns Stu Sjouwerman, founder and CEO of KnowBe4. He says that cyber criminals are now combining two scams-in-one. “First, they ask you to send them the W-2 forms of all employees, with the email looking like it comes from the CEO or a C-level executive. Next, they follow up with an urgent request to transfer a large sum of money to a bank account controlled by these cyber criminals.”

Be proactive and consider these tips:
1. Perform awareness training so your employees recognize when they’ve received a W-2 phishing email.
2. Implement a policy for your organization that no W-2 information will be requested via email.
3. Require that employees verify any and all email requests for W-2 information, even those that express an urgency in the message.

“Remember that when you receive sudden requests like this,” Sjouwerman says, “they may be spoofed emails and that you should double check by picking up the phone and verify that this is a legit request coming from that executive.”

Furthermore, take heed to announcements from the Internal Revenue Service, like the one last month where the IRS warned of an email scam that targeted Hotmail users and was being used to steal personal and financial information.

The subject line of that phishing email read: “Internal Revenue Service Email No. XXXX | We’re processing your request soon | TXXXXXX-XXXXXXXX”. The email led taxpayers to sign in to a fake Microsoft page and then asked for personal and financial information. While the IRS reported that the suspect websites associated with this particular scam have been shut down, taxpayers should be on the lookout for similar schemes.

Take note also that the IRS generally does not initiate contact with taxpayers by email to request personal or financial information. Check out the Tax Scams and Consumer Alerts page on IRS.gov for updates.

To find out how the HIPAA experts at PrivaPlan can assist you with awareness training, and the many other services we provide, contact us at info@privaplan.com or call 877-218-7707.

Related Posts

What’s On Your Website?

The partnership combines PrivaPlan’s industry-leading guidance with Cyndelos’ AI technology to pinpoint website vulnerability and uphold website compliance.

Learn More +

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Sign up for updates

Sign up. Learn about Compliance

Subscribe now for up-to-date information about privacy & security compliance! You’ll receive emails regarding news about compliance & alerts for new blog posts.