Cyber criminals have targeted hundreds of businesses and organizations with phishing emails to obtain workers’ data W-2 forms during this year’s tax period. The FBI said that hundreds of thousands of employees’ personal data were stolen thanks to this scam, up from 50 in 2016.
The scam unfolds like this: An email is sent to someone in the personnel area, disguised as a request from an executive within the same organization, asking for specific information on employees, such as a list of all employees and their W-2 forms. According to the FBI, some emails also ask the companies to transfer money to a specific bank account.
Up to 200 organizations have been affected by this scam, including public schools, Native American governments, nonprofits and businesses.
To prevent this, the IRS and FBI recommend that companies warn personnel staff and everyone in charge of the HR department in advance, as well as verifying the trustworthiness of the email by making a call to the petitionary.
Government agencies have activated an email address where data thefts involving the W-2 scam can be reported: firstname.lastname@example.org. They ask that people include “W-2 scam” in the subject line. If your business or organization hasn’t been victimized as yet, you can forward suspicious emails to email@example.com, also with “W-2 scam” in the subject line.
According to the IRS, cited by L.A. Times, organizations and people can protect themselves by following these steps:
• If you get a suspicious email, pick up the phone and call the person who supposedly sent it, using a phone number you can verify as theirs – not one that might be contained in the email. Confirm that this person has actually made the request.
• Ensure that employees with access to W-2s or other sensitive information are aware of these scams. They should know the warning signs of phishing scams, including incorrect email addresses.
• Invest in software that will flag suspicious emails.
The FBI also recommends people contact its Internet Complaint Center through its website: www.ic3.gov.