Security Alert: Targeted Tax Fraud Scam is Hitting Growing Number of Businesses
It’s tax season, and we’re currently managing several data breaches for a number of organizations that have all fallen victim to this same, new scam. Cyber-criminals are sending HR or finance staff emails purporting to be from the CEO or another top executive and asking for employee W-2 information. When these phishing attempts are successful, the data thieves either use the breached information to file false tax returns and collect the employee’s tax refund, or they sell it to other criminals who will file false returns. CSO reports that firms of all kinds and sizes are being targeted, from sophisticated tech companies to healthcare, social services, and small construction firms.
While this kind of data breach is typically small compared to the multimillion customer breaches that often make headlines, the financial (and other) damage to employees can be huge. Not only can they lose their tax refunds, cyber thieves can use the SSN and other info in the W-2s to commit other kinds of fraud. And this kind of targeted crime has a high payoff per victim, so criminals are happy to target small and medium-sized businesses, which may be less vigilant than larger companies.
You can protect your company and employees from this scam. In the short term, educate all staff who deal with payroll and tax data. If they receive an unusual request for employee tax information, tell them to carefully check the sender’s email address and to confirm the request with a supervisor or directly with the supposed sender. Notify them multiple times and through multiple channels, just in case. (If you already have an ongoing security awareness program in place, you’re ahead of the game. You can just add this to your regular scam updates.) In the longer term, set policies so there are checks and balances on who can access employee data and how.
If your organization does experience this type of data breach, you need to respond fast. Criminals have a short time frame to exploit the tax information, so the sooner you can notify employees and they can notify the IRS, the better chance they have to file their returns ahead of fraudsters. It’s also important to provide identity protection and recovery services to help those who do become victims to recover from identity theft. Not only will these services help employees recover financially and protect themselves against future fraud, but they will also help protect employee productivity and rebuild trust in the organization. A good response service provider will also help your team figure out notification and compliance requirements and how to work with law enforcement.
These days, it seems cyber-crime is becoming as inevitable as “death and taxes,” but you can help taxes from becoming even more painful for your staff.
About IDX
We're your proven partner in digital privacy protection with our evolving suite of privacy and identity products.