On March 14, it was reported in CSO [1] (a leading cybersecurity outlet) that 110 organizations experiences successful phishing attacks targeting their W-2 records. This put more than 120,000 taxpayers at risk for identity fraud. Despite warnings from the IRS [2] in early February, employees continue to fall victim to the bad guys’ ploys.
This wildly successful phishing scheme works like this: malicious actors spoof (or pretend to be) the CEO or President of a company and email a CFO or similarly positioned employee to request copies of all employees’ W-2 forms. The employee falls victim to the fake email, shares confidential information and the damage is immediately done.
W-2 Fraud attacks are particularly dangerous because of the ongoing fall out. In fact, IRS Commissioner, John Koskinen wrote in a statement [2], “This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns.”
Fraud in Education
So why should education care? While once a problem isolated only in the corporate world, cybercriminals have extended their target base to target a wider range of organizations than ever before. Among the 110 victim organizations, many were schools: Northwestern College [3], The College of Southern Idaho [4], Daytona State [5], Groton School District [6] in Connecticut, Redmond School District [7] in Oregon, Yukon Public Schools [8] in Oklahoma. This is only a sampling, but underscores that no entity is off-limits and that educational institutions need to take precautions to protect themselves.
Regardless of size, geographical region, level of education (secondary and higher ed), we’re seeing school employees across the board fall victim.
(Next page: How institutions and schools can protect against W-2 fraud)
What to do about W-2 Fraud
As noted, the problem is not exclusive to educational organizations—organizations of all sizes and verticals are at risk. However, the precautions are the same for everyone. The good news is that it’s not exactly rocket science.
Here are some basics to better protect your organization, and all its employees:
- Spread the Word:Before anything else, warn your Accounting and HR teams NOW that there is a strain of CEO Fraud asking for W-2’s. Tell them to watch out for fraudulent emails asking for W-2 information, and to always verify requests of this nature using something other than email (phone, text, an in-person conversation). Warning these teams immediately may prevent a host of problems.
- Stay Alert:When you get any email about your taxes, or your W-2 from literally anybody, whether you know them or not, pick up the phone and verify with your known, trusted tax professional that it was he or she that sent the email. If you send tax information via email, triple-check that the email address you are sending to is correct, and type it in yourself in the “To” field.
- NEVER click on “reply” and attach your tax information, because that reply email address might be spoofed. Want to be 100 percent safe? Hand-carry your tax info to your tax professional and do the tax return in person with him or her.
- If you are unable to hand-carry your information, make sure it is encrypted before sending. Many accountants have such encryption programs in place that allow for a safer relay of confidential information.
- Educate:Read and circulate this link to the IRS site with more tax scams organizations need to watch for: https://www.irs.gov/uac/tax-scams-consumer-alerts [9].
- Sound the Alarms: If you receive a scam, report it. The IRS says organizations receiving a W-2 scam email should forward it to phishing@irs.gov [10] and place “W2 Scam” in the subject line.
While W-2 fraud is in full swing during tax season, similar phishing and social engineering techniques happen all year round. Always ensure you and your colleagues keep a high-level of vigilance by remembering a few basic things: No matter the time of year, if you receive an email that has mis-spellings, grammar mistakes or just sets off your internal alarm, DO NOT respond, forward, or click any link inside the email. Call to confirm who sent it to you, and if this person cannot confirm, immediately engage your IT department.