Phishing scams have become so popular and widespread that most are quickly found out and the tips to avoid them follow soon after. No, there isn’t a Nigerian prince out there who really needs money. And your good friend didn’t magically disappear to Asia, lose all their valuables, and somehow still have access to a computer to ask you for a wire transfer immediately. But what if your boss emails you from what seems to be his email, and asks for a W2 or similarly private financial data. Would you send it back, without a second thought?
Some might – unfortunately they also would have been the unassuming victims of a newer targeted phishing scam. As the IRS warned HR and Payroll professionals earlier this month, malicious individuals involved with phishing scams will pose as company executives from what appears to be the correct email and ask for employee’s social security numbers, birth dates, W2s, and other guarded personal information. While some personnel have unfortunately fallen prey to these attacks, you don’t have to. The following are examples of what a scammer may ask for in their email:
- “Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
- “Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).”
- “I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”
Fake tax returns, especially ones propagated through phishing scams, are a huge criminal business. And, with tax-refund losses estimated to reach $21 billion by the end of this year, a company’s main line of defense is going to be the very employee on the receiving end of these otherwise normal-looking emails. Fortunately there are a couple of tell-tale signs making this scam stand apart – the return or reply-to address is something other than the sender’s normal email, or something as simple as a slight difference in the language and intonation used are two major indicators. Another, more obvious, path is to ask the sender if it is a valid message!
Communication is a key part to any business, and cyber criminals are chomping at the bit during tax season to steal your hard-earned dollars. Beat them at their own game by reviewing any suspicious messages, and have an open line for employees to the powers that be so that, if they are concerned about a potentially threatening email or need to beef up on their cyber security know-how, the resources are there for them to do so.