COOS BAY — April's tax filing deadline is a month away but this is prime time for scam artists looking to cash in on personal tax information. The FBI's Internet Crime Complaint Center issued a warning for businesses and employees to be on the watch for W-2 theft. If a cyber thief gets your W-2, they now have the ability to file your tax return and get your refund before you do. They also has access to a great deal of personally identifiable information including your Social Security number.
The most common way a scam artist gets a W-2 is through a phishing scheme. They pretend to be an executive at the company, sending an email to the human resources department requesting employees' personal information or their W-2's, allegedly for tax or audit purposes. In some cases, the fraudsters have been able to cause a massive data dump affecting thousands of employees.
Sometimes these requests for data are followed by or combined with a more traditional business email compromise scheme where the fraudster convinces the finance department to make unauthorized wire transfers under the executive's spoofed authority.
To mitigate the threat business should limit the number of people who have access to employees' personal info and W-2s. Set up two-factor verification systems to confirm the request and receipt of such sensitive information. This could be as simple as a phone call or a face-to-face meeting. Establish protocols for sensitive information requests ahead of time and outside of the email environment. You don't want a hacker who already has access to your system to know what your backup security measures include. Ensure that you secure sensitive PII and W-2 information with encryption. Establish and maintain robust and strong security for your data, including firewalls, virus protection and spam filters.
Businesses that have suffered a data breach involving tax information should immediately report it to the IRS and their state tax agency. The IRS also wants to hear from you if you received a W-2 phishing email but did not fall victim to the scam.
If you have been victimized by this online scam or other cyber fraud, be sure to report it to the FBI's Internet Crime Complaint Center at www.ic3.go.