Let’s get the old news out of the way: tax season starts on January 29, 2018.
Now, before you start blowing a sad-sounding slide whistle to lament having a week less than last year, let’s think about the silver lining: you have an extra week to dedicate to getting ready for the deluge of phishing scams.
While that might not really be exciting news, consider this: IRS is predicting a surge in the recurring Form W-2 scam that, according to the agency, “made victims of hundreds of organizations and thousands of employees last year.” And it was far reaching, affecting businesses, schools, hospitals, and government officials.
How does the W-2 phishing scam work?
Here’s what you can expect to see if one of these W-2 phishing scams lands in your inbox: perpetrators will pose as top officials in the organization—whether the company CEO or school principal, whatever applies, really—and send an email to all employees and staff that requests their Form W-2 information.
The email may even be part of a larger chain, beginning with small talk to set the hook. Once the fraudster gets an employee to respond, the requests for W-2 information begin. If the employee sends that data—full name, address, SSN, and other tax-related info—the criminal then attempts to sell it on the Dark Net.
What should I do to prevent employees from being duped?
Some of the most common and effective tactics used by identity thieves involve convincing targets that their requests are routine; the expectation is that victims won’t even think twice before sending along private information. That’s why IRS recommends you limit how many employees can make requests for private data and create a policy requiring additional verification steps.
What should I do if I’ve been affected by a W-2 phishing scam?
If your business has been hit by the Form W-2 phishing scam, inform the IRS as soon as possible. Here are some instructions from the agency: make the subject line of your email “W2 Data Loss,” and be sure to include information like your business name, EIN, contact name and phone number, and a summary of the event (how did it happen, and how many employees were affected).
Aside from sending an email to IRS, all affected employees may want to consider treating this data theft like the Equifax breach. Once your information hits the Dark Net, it’s not a matter of if, but when someone uses that data to apply for a credit card or loan. One way to keep those requests from being successful is to lock down your credit report with Equifax, Experian, and Trans Union by requesting a credit freeze.
NOTE: People who do this need to remember that it won’t prevent criminals from using credit cards or money from loans that were issued prior to the credit freeze, and they will have to directly contact each of the credit agencies to unfreeze their accounts when applying for a new card or loan.
Ryan Norton, contributor