For IT and cybersecurity professionals, you know that tax season is breach season. The first three months of the year is when your employees are most likely to be targeted by cybercriminals to compromise sensitive information and file fraudulent tax returns. There are several ways that these fraudsters infiltrate company systems, but the most common is through blending CEO fraud with W-2 phishing scams.
You are probably familiar with CEO fraud – email scams where the attacker imitates the boss and tricks an employee into wiring funds. Fraudsters are now impersonating the CEO and, rather than requesting a wire transfer, they ask for a copy of all employee
W-2 forms. Once they have these forms in hand they'll sell them on the Dark Web or file fraudulent tax returns.
Phishers have gotten bolder in recent years, going after a wider range of both organizations and employees. According to the IRS Return Integrity Compliance Services, reports of W-2 phishing emails increased 870 percent from 2016 to 2017. By all accounts there are no signs that this method of deception will slow down in 2018. It's critical that infosec and HR teams work together to develop continuous and constructive phishing assessments and training. With these two teams aligned on cyber training, employees will then be an active layer of defense against recognizing and reporting suspicious emails. Additionally, regularly reminding all employees that email is not a secure way to transmit sensitive information is also key for keeping everyone protected.
It's equally important to warn your employees of the threats facing them outside of the office. Scam phone calls from IRS imposters are also expected to increase this tax season. These scam artists can often manipulate caller ID to make it look like the call is legitimate. Once one of these fraudsters makes contact they will either demand an immediate payment, or they will assert that the victim is eligible for a tax refund and that sensitive private information must be validated and therefore divulged.
Beyond the negative financial impact, if personal information is exposed, it significantly increases the opportunity for identity theft. Employees who have their personal information compromised may need to dedicate hundreds of hours to resolving and restoring their good name. For employers, this means that their employees may need significant time away from work, which severely impacts productivity.
In today's digital world it's not a matter of if, but when you'll be a target for criminal gain. 2017 saw 45 percent more data breaches than 2016, putting hundreds of millions of individuals and families at risk of identity theft. It's essential that CISO's, Benefits, and Human Resources managers work together to offer the best security, tools and trainings available to their teams.