It’s business unusual in 2020.
A year that’s seen extraordinary change has millions of employees working from home and relying more on email. With all the impacts to the U.S. economy and people’s livelihoods this year, the IRS responded by extending this year’s tax-filing deadline to July 15.
In the meantime, scammers saw this as a chance to resort to old tricks.
One of the latest: a “business email compromise” aimed at trying to get W-2 forms from companies’ employees. A W-2 documents earnings, tax withholdings, Social Security numbers and other sensitive information. With this one document, a scammer can file a fake tax return or sell the information on the dark web.
“The W-2 fraud scheme is very much like others because it typically relies on a deceptive email communication,” said Jeff Taylor, head of Commercial Fraud Forensics for Regions Bank. “The big difference is important data points are being compromised rather than money. Therefore, the potential exposure for this type of loss is exponentially greater.”
The idea is – if scammers can get that valuable private data, they can turn that into money.
Here’s how it works: A fraudster posing as a senior executive within a company sends an email to a lower-level employee who has access to personnel information. The fraudster – again, posing as a legitimate colleague – requests the lower-level employee share all W-2s covering the company’s workforce. They often ask for the forms in a bulk list that’s easy to export.
If the lower-level employee falls for it and sends the information, fraudsters can begin filling out tens or hundreds or even thousands of fake returns. And with the tax-filing deadline extension this year, they have more time to take advantage of the situation.
Taylor and other security experts encourage companies to protect their businesses from falling into the scheme by following these simple steps:
- Make it clear: W-2s are available only for the appropriate departments – not for CEOs or senior executives who don’t have legitimate business purposes for seeking the information.
- If not already part of your company’s culture, install phishing simulation training and education, focusing particularly on payroll and HR departments most often targeted in these schemes.
- Install identity-based phishing defenses to block these attacks from reaching targets, using source solutions to leverage real-time threat intelligence that helps everyone.
Be Fraud Aware and keep yourself educated on these intrusion attempts. Be sure to visit www.regions.com/stopfraud for more information and resources.