Protecting HR Workers Against W-2 Cybertheft During Tax Season

Tax season can pose a particularly hectic, if not stressful, time for any professional working in human resources. Adding insult to injury, HR workers are now being targeted by cybertheives phishing for W-2 information under the guise of company CEOs and CFOs.

According to major messaging security company Cloudmark, Inc., at least 68 companies and organizations fell victim to W-2 spear phishing scams from January to May 2016, including U.S. Bank (ADP), Stanford University, Moneytree, and Snapchat, and Equifax.

The scam is actually pretty simple, and works like this:

• Cybertheives dig up information through company websites, social media platforms, and other sources of public data.
• Cybertheives identify the name of a company’s CEO or CFO along with the domain used by company emails.
• Cybertheives then construct false emails to HR personnel requesting all company W-2 employee tax records.
• Cybertheives use or sell tax records to commit identity fraud and collect tax refunds.

To help minimize these cyberthefts, this year the IRS has set the filing dates on both electronic and print tax documents for January 31.

What can HR professionals and executives alike do to help prevent cybertheft in their workplace this tax season? You can start by following these 5 tips from the Society for Human Resource Management (SHRM):

• Provide cybersecurtity awareness training to all workers.
• Avoid requesting or submitting sensitive data via email or text.
• Verify requests coming from high-ranking or upper-management positions.
• Use precaution before opening embedded links found in emails. If it’s a government link, it will have a .gov address. Use your cursor to hover over the link to identity the actual link source.
• Scrutinize website addresses for spelling errors. Cybertheives often use website addresses spelled very similarly to the official ones they’re attempting to represent.