Avoid This Season’s Latest Data Theft Scam

Your employees’ W-2s might not be sexy proprietary secrets, but you need to start treating these documents like you treat your intellectual property. As tax season comes to a close, hackers have already stolen thousands, if not millions, of W-2s from dozens of companies across the U.S.

These targeted phishing attacks are simple; hackers aren’t using nasty viruses or infiltrating your network. Instead, hackers use a little social engineering and send what appears to be a regular email from an executive at your company. A hacker will spoof a CEO’s or CFO’s email address and send a request to an employee in payroll asking for a PDF of all employees’ W-2s. The decidedly low-tech method has been duping employees from all types of companies–data storage firm Seagate, social media platform Snapchat, payday lender Moneytree, and even Inc. magazine’s parent company.

“This is an epidemic,” says Stu Sjouwerman, founder and CEO of security training and awareness company KnowBe4.

Since February, a new batch of companies admit to sending W-2s to criminals each week. There are no concrete numbers from this year yet, but last year the IRS sent 1.5 million Americans who have been victimized by tax fraud a unique PIN to use when filing their taxes. Hackers even managed to steal personal information for 700,000 people directly from the IRS website. In addition to these incidents, hackers have swiped millions of people’s personal information from dozens of companies, government agencies, healthcare companies, and hospitals in 2015 and 2016. In 2013 alone, the IRS paid $5.8 billion in fraudulent tax returns.

Special Agent Aaron Gogley, who works for the IRS Criminal Investigation team at the FBI’s Houston Cyber Task Force, wouldn’t say how many companies have fallen for the scheme, but he says it is a major problem.

“If you look at the email address, it will actually look like it’s from the CEO,” he says. “These emails are crafted extremely well and even the language in the body of the email will actually sound like how the executive writes emails.”

But, how is this happening? Gogley says the success of this type of hack is not only due to how targeted, specific, and well written the phishing emails have become, but also because most companies do not expect to be hacked for employee tax forms.

“For criminals, the W-2 is the crown jewels,” Gogley says. “For companies, the W-2 is an overlooked area because most organizations think their crown jewels are their products or trade information. When people think about data loss, most companies don’t think about their employees’ W-2s as the first thing to protect.”

So, how do you protect your company from W-2 phishing emails?