By John Farley and Emily Selck
Cyber criminals have found more ways to cash in on your employees’ personal data for profit. Small business owners should be on the alert.
As one of the fastest growing social engineering scams on the market today, hackers pose as a company CEO or key executive via email, requesting copies of employee tax forms. Once they’ve garnered the complete set of W-2s, they quickly turn it into cold hard cash by selling it on the black market, earning anywhere from $4 to $20 a form (credit card numbers earn just $1 to $4 each), selling off individual pieces of employee identity (read: SS numbers, employer ID, address, etc.) and more commonly, filing taxes and pocketing refunds.
Known as W-2 phishing, this scam has trapped a surprisingly growing number of HR and Finance department executives in the last few tax seasons who unknowingly forward the hacker their organization’s fleet of W-2 forms. Last tax season, the IRS saw a 400 percent surge in W-2 phishing and malware incidents, and in 2015, the Federal Trade Commission reported that tax refund fraud was responsible for a nearly 50 percent increase in consumer identity theft complaints.
Here are 9 Best Practices to help your small business and your employees prevent W-2 phishing and other tax fraud:
- Instituting multi-step verification. The FBI urges businesses to adopt a two-step or dual-factor authentication process for financial and sensitive employee data requests. This could mean requiring two separate email requests or an email followed by a live phone call before W-2s are sent out.
- Training employees to recognize phishing scams. While an email may look like it came from the CEO, phishing emails are typically “off.” When it comes to the CEO’s address, for example, one letter may be different, a lowercase “l” replaced by an “i,” etc. Secondly, the email’s urgency is typically overexpressed: “I need all the company’s W-2 forms immediately.” Finally, for someone who you have a decent amount of regular interaction, the email is impersonal, often lacking a salutation or greeting. Training employees to be sensitive to these details is key.
- Establishing an avenue for reporting. Even when an employee recognizes the email as phishing, they often don’t know how to report it, so they just delete it all together. Establish a dedicated email address that goes to the IT department where employees can report a phishing email.
- Don’t post key executives’ names, email addresses or a hierarchy chart. By posting hierarchal charts along with C-suite contact information on your website or social media pages, you could be feeding fraudsters just what they need to set up a social engineering scam.
- Keeping employees on their toes. Send out regular reminders before and during tax season and limit the amount of staff members that have access to sensitive information, like W-2 forms, and/or under what circumstances they are allowed to share them.
- Understanding who your vendors are. Because most companies outsource their W-2s and other sensitive employee information to a W-2 clearinghouse or compliance management company, it’s important to review your vendor contracts to determine what rights you have for indemnification or recovery of information should a third party be the cause of your data breach. Often vendor agreements include a hold harmless clause or limit their liability to the cost of your contract, should your information be breached on their clock.
- Filing early. Urge employees to file their taxes early. The earlier they are filed, the less likely a hacker is to file on their behalf successfully. Victims most often learn of a tax fraud crime against them when their returns are rejected because someone beat them to the punch.
- Being proactive. If you suspect your W-2s have been stolen, notify the IRS so they can put a red flag on affected accounts. This red flag will prevent a fraudster from filing a tax return in the employee’s name. Additionally, some companies are doing proactive searches on the dark web to see if any of their employee or customer information is out there currently.
- In the case this should happen to you, make sure you’re covered with a cyber insurance policy. Cyber insurance covers the expense of hiring experts to defend and get you up and running and for lost income due to service outages. None of this is covered by commercial general liability or business operator policies.
The ensuing hours of time and exorbitant costs and reputation repercussions for small businesses and individuals alike from this fraud can be devastating. Businesses must respond to the data breach by hiring a privacy attorney, notifying affected employees and complying with state requirements based on where their employees reside. Individuals will have to iron out the details with the IRS, which could take several years to unravel. Small businesses cannot afford this.
Be on the alert so you can help prevent this cyber fraud and its devastating consequences on your business.
John Farley, Vice President and Cyber Risk Practice Leader at Hub International, has 23 years of experience in insurance and risk management. John is the internal lead resource for pre and post data breach services. John frequently speaks at cyber risk seminars and symposiums, and is an accomplished editorial contributor and thought leader on cyber risk management.
Emily Selck is the Cyber Liability Practice Leader for Hub International Midwest Limited’s Management and Professional Liability Group. She is responsible for developing and maintaining the Cyber Liability book of business, marketing, customer relationship management, and market relationships in the Chicago hub.