Everything you need to know

It’s that time of year again – tax season – and, unfortunately, it’s also a peak time for phishing scams. Cybercriminals know that people are more likely to be filing their taxes and sharing sensitive information online, so they increase their phishing efforts during this time. In fact, according to the IRS, over 20% of reported phishing scams took place during the 2020 tax season. 

One type of phishing scam that tends to occur during this time is the W-2 scam, in which hackers pretend to be company executives and request employee W-2 forms. Sneaky! But you can defeat the scammers by educating yourself and your employees about these increasingly common scams. 

What is a phishing scam?  

A phishing scam is a type of cybercrime in which hackers send fake emails or texts, pretending to be from a legitimate organization, in order to get their hands on sensitive information. These scams can take many forms, such as fake emails claiming to be from a bank or government agency, or texts pretending to be from a friend or family member in need. They can also come in the form of phone calls or social media messages. Whatever the communication method, the ultimate goal is to steal your personal information and use it for their own gain. 

What is a W-2 phishing scam?  

With a W-2 scam, hackers pose as company executives and request employee W-2 forms, which contain personal and financial information such as names, addresses, and social security numbers. The scammer will often send an email to the HR department or payroll department, requesting the information for “tax purposes” or some other seemingly legitimate reason.  

They might also pose as the IRS, so it’s important to note that the IRS does not request W-2 forms via email. Any such request should be treated with suspicion. 

How to prevent W-2 scams  

To protect yourself and your business from W-2 phishing scams during tax season, consider the following tips: 

• Train your employees to be on the lookout for phishing emails. This can include simulated phishing attacks to test their awareness and reminders to be extra cautious during tax season. Educate them on what to look for, such as unexpected requests for sensitive information or requests that seem out of the ordinary.

• Enable two-factor authentication on all company accounts. This adds an extra layer of security by requiring a second form of authentication, such as a code sent to a mobile phone, in addition to a password. Two-factor authentication makes it much more difficult for hackers to gain access to your accounts, even if they do manage to steal your password.

• Be cautious of unexpected or unusual requests for sensitive information. If you receive a request for employee W-2 forms or any other sensitive information, verify the request before sending the information. This can include contacting the requestor by phone or in person to confirm their identity and the legitimacy of the request.

• Use secure communication channels when sharing sensitive information. This can include encrypting emails or using a secure file transfer service. It’s important to ensure that your sensitive data is not being sent in plain text, as this can make it easy for hackers to intercept and steal. 

• Set up monitoring for suspicious activity on your company accounts. This can help alert you to any unusual activity and allow you to take action to protect your company’s data.

• Be aware of the latest phishing tactics and techniques. Cybercriminals are constantly evolving their tactics, so it’s important to stay up-to-date on the latest techniques they might use. 

• Regularly update your security software and systems. This can help protect against new threats and vulnerabilities that may arise. Consider using a security awareness training program for your employees. This can help educate them on how to identify and protect against phishing scams and other cyber threats. 

How to report a phishing email 

If you believe you’ve fallen victim to a phishing scam, it’s crucial to report it as soon as possible. You can do so by contacting the IRS through their website or the Federal Trade Commission through their fraud report portal. It’s also recommended to inform your company’s IT department, as they may be able to take further steps to secure your data.  

Remember, it’s better to be cautious and verify any unexpected requests for sensitive information. Stay vigilant and follow the tips mentioned above to protect yourself and your company from phishing scams, especially during tax season when these types of cybercrimes tend to increase.