The Basics of W-2 Phishing Scams

A growing number of businesses have fallen prey to W-2 phishing scams. In a typical phishing scam, someone is tricked into providing personal information which is then used to steal their money and/or their identity. The W-2 phishing scam is a variation of this.

How It Works

In a W-2 phishing scam, cybercriminals send e-mails to a business’s employees — usually in payroll, benefits or human resources departments — that purport to be from the company’s upper management. The e-mails request a list of employees along with their form W-2’s, social security numbers or other personal data.

Here are some examples provided by the IRS:

“Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”

“Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).”

If the employee replies, scammers can use this data to file fraudulent tax returns in the employees’ names, seeking invalid refunds.

The scam is particularly reprehensible since the employees it focuses on likely believe that, by supplying the requested information, they’re doing exactly what they’re supposed to. Additionally, at first glance, these e-mails usually appear legitimate. Many contain the company’s logo and the name of an actual executive. This information is readily available to the general public.

Education Is Crucial

While these scams have become more commonplace, companies can take steps to reduce their risk. Since the scams target individuals, rather than the technology itself, education is crucial. All employees should be briefed, especially those in areas that handle sensitive data, of the scams. Prompt them not to click on links or download attachments from e-mails that were unsolicited or sent from unfamiliar sources.

Employees often are wary about questioning a request that appears to come from the company’s administration, so reassure employees that it’s ok to double-check any request for personal information, no matter where the inquiry comes from. They should do this by not responding to the e-mail in question, but by checking with a trusted supervisor or colleague.

Don’t Fall Victim

Technology can also help in limiting these occurrences. Install forceful antivirus and spam filters and keep them updated. This can help weed out the phishing scam e-mails. By taking practical precautions, businesses can reduce the risk of falling prey to W-2 phishing scams.

© 2017


Join Our Newsletter

Sign up to receive exclusive newsletters with the latest information affecting you and your organization.

Posted in