Fraudulent W2 Inquiries to HR Departments Leave Company Data Exposed

Last year’s W-2 email phishing scam has reappeared. The IRS issued an alert on January 25, 2017, urging Human Resource and payroll departments of the scam attempting to gain access to sensitive information.

What to look for:
– Cybercriminals will send an email using a C-level officer’s name, request a list of employees, their social security numbers, and various W-2 information

– Common verbiage found in these phishing emails include:
o Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
o Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
o I want you to send me the list of the W-2 copy of employee’s wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

What happens when compromised:
– Leaked data is used to file fraudulent tax returns to claim the tax refunds.
– Leaked social security numbers can cause further identity theft issues. At times, this information is sold by cybercriminals on the black market- upping their profits and causing more damage to involved parties

How to stay safe:
– If you’re ever unsure of the authenticity of a request, reach out to the party directly via phone to confirm
– Never release sensitive data in plain text. Use a confidential platform to provide an extra layer of security. Microsoft provides several fantastic options, like their Enterprise Mobility + Security platform.

In the fight against cybercrime, it’s important to note anti-virus and anti-malware are not enough to prevent all phishing attacks. Therefore, set internal processes in place to help stay secure, such as requiring verification from two parties before releasing sensitive information. Additionally, ensure you have a functioning backup and disaster recovery option in place, so in worst case scenarios you can continue operations.