The list of companies reporting stolen W-2 forms is growing as hackers kick up their phishing schemes for the current income tax filing season. For employees, the challenge is determining if that new email in your inbox is really from the CEO. How you respond could put your entire workforce at risk for identity theft.
The deadline for mailing out W-2 forms and other tax documents has just passed; yours could be sitting in your mailbox right now. With these forms now done, hackers have ratcheted up phishing emails to grab copies of that data. All they do is ping an employee likely to have access to the W-2 forms. Most masquerade in email as the CEO and employees often promptly share the W-2s to stay on the CEO’s good side. But the result is just the opposite because they just triggered a data breach.
W-2s contain your Social Security number (SSN), wages, taxes withheld and all the other data needed to submit a bogus tax refund request in your name. You may not learn of the hack until your legitimate tax return gets rejected because someone else filed previously posing as you.
One website that tracks data breaches ran up a list of 145 businesses compromised by W-2 scams last year before its owner decided she couldn’t keep up. Krispy Kreme and Sprouts grocers were included in last year’s tally. This year, the attack rate has accelerated.
Popular targets in 2017 include hospitals, non-profits, and school districts. Databreaches.net reports over a dozen schools have been hacked. But even breweries like Scotty’s Brewhouse in Indianapolis have been hit. In that case, the phishing email was sent to a payroll employee who released W-2s for 4,000 workers.
With hundreds of thousands of W-2s being stolen, it’s unlikely that one individual can use so many for identity fraud. Instead, many of those forms are now for sale online. Security blogger Brian Krebs reported on the W-2 data he located on the Dark Web, calling it a way for lazy hackers to partake in the tax refund bonanza.
HR Managers need to be sure any W-2 theft at your workplace is reported promptly to the IRS. “When employers report W-2 thefts immediately to the IRS, the agency can take steps to help protect employees from tax-related identity theft. The IRS, state tax agencies, and the tax industry working together as the Security Summit, have enacted numerous safeguards in 2016 and 2017 to identify fraudulent returns filed through scams like this,” an IRS statement issued February 2nd advised.
No one wants to be the employee who makes this blunder. As an employee, you may want to ask your Human Resources department for training on how to spot bogus emails. Share ID Watchdog’s advice on phishing tests to help put the lid on these lucrative attacks.