ID Theft Resources

W-2 Phishing Scam: What It Is and How To Help Protect Against It

By Steve Symanovich, a Symantec employee

 

Identity thieves would love to swipe your 2018 tax refund. One way they might try is by tricking your employer with a W-2 phishing scam.

Consider this: W-2 phishing schemes fooled more than 100 employers in the first 10 weeks of the 2017 tax season. That put more than 120,000 taxpayers at risk for identity fraud. The Internal Revenue Service warned that the scam went beyond employers to other industries and entities such as education, tribes and charities.

First, a quick definition: A W-2 phishing attack is a cyber tactic that hackers use to probe an organization’s infrastructure by sending an email from what might appear to be a top manager. The hackers might send a fake email from the CEO or CFO, for instance. Their aim is to acquire employees’ sensitive information from W-2s so they can leverage it to commit identity fraud.

How do W-2 phishing scams happen?

Tax season is a prime time for W-2 phishing scams. Here’s how they work in practice.

A fraudster might impersonate the CEO of a company in an email. The email—an “urgent” request—is sent to a staff member with access to employees’ Form W-2s.

The request might ask for employee tax information to be sent back in a single file. The email’s tone may be polite and direct—the fake exec needs the information right away.

The IRS cites this example: “Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”

Eager to please the boss, the employee gathers the tax forms and emails them back.

Mission accomplished—for the identity thief. But it can be bad news for employees who have had personal information handed over to criminals.

Why your Form W-2 needs protection

W-2s are those essential forms you include when you file your taxes. They contain information such as your name, address, Social Security number, income, and tax withholdings.

That’s just about everything a fraudster needs to commit tax-related identity theft. Tax-related identity theft occurs when someone uses your stolen Social Security number to file a tax return claiming a fraudulent refund.

And that might not be the end of it. That same information could be used to open a new credit card or take out a loan in your name.

W-2 phishing schemes have wide reach

W-2 phishing scams first surfaced in 2016. The scheme has become a lot more prevalent since then. In the first four months of 2017, 870 organizations told the IRS they received a W-2 phishing email. That compares to about 100 organizations in the same period a year earlier.

Fraudsters have taken wide aim, hitting companies, payroll service providers, hospitals, nonprofits, public schools, and universities.

In one incident, a government cybersecurity contractor fell victim to the scam. Fraudsters stole the W-2 data of all employees.

The IRS has warned W-2 phishing scams are back for the 2018 tax season. The scams can be sophisticated and convincing. That’s why employers and employees should know how to help protect against them.

5 ways to help protect against W-2 phishing scams

How can you minimize the chance of becoming a victim of a W-2 phishing scam? Company policies play a role. The individual efforts of staffers also play a role. Here are five ways to help protect against W-2 phishing schemes.

  1. Raise awareness: Employers should remind staff that it’s high season for W-2 phishing scams. Make sure employees—especially financial staff with access to tax information—know about the threat.
  2. Follow company policy: Employers often have policies about what can of information can be sent by email. This usually includes rules regarding sensitive financial information. Sometimes, for instance, top executives are not allowed to make such requests via email.
  3. Stay vigilant: If you receive an email asking for sensitive information, do not comply. Such requests might include not only tax information or payroll records, but also account numbers or passwords.
  4. Verify the sender: If you receive a request from a company executive, contact the sender by phone to help make sure the request is legitimate. Be careful about sending the information, even if the executive says it’s OK.
  5. Flag scam emails: If you receive a W-2 scam email, let your employer know. Also, forward the email to phishing@irs.gov and put “W2 Scam” in the subject line.

Taking protective measures is no guarantee you won’t fall victim to a W-2 phishing scam. So, here’s a bonus tip for this tax season: It’s smart to file your taxes early, before identity thieves do it for you.

Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.

Start your protection,
enroll in minutes.