Tax season is the time to be on the lookout for W-2 phishing scams.

Don’t Get Hooked by the W-2 Phishing Scam

With the U.S. tax season now in full swing, you can expect to see the return of another seasonal phenomenon: W-2 phishing scams. Although they’ve been around for a few years now, these scams keep popping up for one basic reason. They still work.

That’s the bad news. The good news is you can take a variety of actions to avoid falling victim to one of these scams. We’ll go through some of these actions and explain why proactive security awareness training is the key to everything you do. But, first, let’s dive a bit deeper into what typical W-2 phishing looks like:

  • The context: All types of organizations have just generated employee W-2 tax forms. Cyber criminals want to access these forms and exploit the sensitive information to file fraudulent tax returns, claim refunds, and/or steal personally identifiable information (PII).
  • The method: Cyber criminals typically target larger organizations (with 500 or more employees) through a social engineering technique known as phishing.
  • The hook: Criminals often pose as the company CEO or another high-level executive, sending emails to employees in payroll, accounting, or HR roles to request employee W-2 forms. Usually, there’s a strong sense of urgency associated with the request.
  • The goal: The ultimate prize is the large-scale theft of a potential treasure trove of employees’ personal data to exploit or sell.

Although the primary target is typically larger companies, the W-2 scam can also impact smaller businesses or individuals. However, the somewhat limited amount of employee data available makes these cases relatively rare.

What to watch for with this scam

Employees in HR and payroll departments tend to be the primary targets, especially newer or junior members of the team who might be more susceptible to unquestioningly following the chain of command. The sense of urgency and the appearance of a request coming directly from a corporate executive are common psychological tactics used to ramp up the recipients’ level of anxiety.

This is a great reminder that cyber criminals are smart about who they target—and when they do so. And if you don’t evolve your security strategies as quickly as they do, you could be vulnerable to an attack. With more people working remotely during the COVID-19 pandemic, there’s an even greater chance of confusion, miscommunication, and errors this year.

Tips for IT security professionals

If you’re an IT security professional, you can do a lot to protect your company and your fellow employees. Start with security awareness training. If you can keep cybersecurity top of mind for all employees, that’s an enormous step toward reducing your risk exposure.

As various phishing scams enter and exit public awareness, it’s important to continually remind employees about what to watch out for. Integrate ongoing security awareness training into your standard business operations so employees don’t come to view it as little more than an annual compliance box they need to check.

A good way to accomplish this is to create timely reminders of recurring seasonal scams such as clicking on an email promising a free gift card during holiday season or sharing W-2 forms during tax season. And constantly reinforce the rule of NEVER opening a document of any kind from an unknown source—especially for something that is promised or that has a sense of urgency or threat.

The unique value of penetration testing

One proven technique to elevate security in the minds of employees is to conduct a penetration test modeled after common phishing attack methods. It’s always astounding to see how many employees fall for the scam end up opening an infected document or clicking on an unverified link.

You might hear a lot of responses from exasperated employees who say “you tricked us” or “you didn’t warn us.” The most appropriate response is to ask them if real hackers plan to give them a heads-up that a phishing scam is in their inbox.

However, it’s important to remember that the ultimate goal is to educate employees, not to embarrass anyone or create bad will. You need to get everyone to recognize the true threat in an actual work environment. It’s also crucial that any security awareness training explains the “why” to employees so they fully understand the business value associated with cybersecurity.

Specific guidance for the W-2 phishing scam

In regard to the W-2 phishing scam in particular, you can customize security awareness training for specific audiences, such as the HR and payroll teams, to:

  • Alert them about the scam and what to watch for
  • Provide guidance on how to manage any W-2-related processes with employees
  • Educate them on what steps to take if they receive a suspicious email

The bottom line is that your actions could prevent your company from enormous security and financial exposure. As an IT security professional, it’s your job to lead from the front and make sure all employees can recognize these common scams and know exactly what to do in order to prevent a security breach.

About Tom

Tom Callahan has spent more than 15 years in information technology and security, focusing on areas like cloud services, cybersecurity, infrastructure and operations. His background also includes business IT restructuring and retooling to support ongoing changes throughout information technology and security.

Tom joined PDI through its December 2020 acquisition of ControlScan Managed Security Services. He holds a B.S. in Information Technology from Towson University. He’s also a Red Hat Certified Engineer (RHCE), Certified ScrumMaster and an active member of the Mid-Atlantic CIO Forum. Find Tom on LinkedIn and Twitter.

You can thrive in today’s digital economy. Contact us today, to learn how we can help you transform and secure your business.