By: Amy Dozier on March 16th, 2016

Print/Save as PDF

Best Practices to Protect Personally Identifiable Information

Risk Management | Business Management & Strategy | Best Practices | Employee Relations

Beware of the W-2 Phishing Scam

w2 form

It’s Wednesday morning and we have heard from three clients this week alone who have been victims of a W-2 Phishing Scam.  Unfortunately, in these situations, here at Helios, we were contacted to help with the aftermath.  We would much prefer to be a part of the proactive solution. Here is more information about this particular scam and what you can do to protect yourself and your company.

What is the W-2 Phishing Scam?

Cybercriminals are targeting payroll and HR Departments by sending a “spoofing” email from who appears to be the company CEO or CFO requesting W-2’s and/or employee rosters.  It looks like a completely legitimate request from a legitimate email address.

Phishing-emails-landscapeWhat Are Cybercriminals Doing With This Information?

Once W-2’s are obtained, cybercriminals are filing fraudulent tax returns on employees’ behalves and benefiting from the refunds.  When those individuals go to file their legitimate tax return, they are getting their returns rejected because the IRS shows they have already filed.

What to Do to Protect Your Employees’ Personally Identifiable Information (PII)

As a representative of a company who has access to Personally Identifiable Information (PII), you are responsible for and charged with safeguarding that information.  Your employees rely on you to keep their information safe and expect you to have processes in place that will protect them from identity theft.

Who wouldn’t expeditiously respond to a request from their leadership?  Before you respond, here a few tips to confirm the email request is legitimate:

  • Call the CEO or individual requesting the information to confirm the request came from them
  • Rather than responding directly to the email, send a new email where you enter the recipient
  • Always password protect or send over secure email any documents with PII
  • Implement policies about who can access PII and how PII will be transmitted

What If it’s Too Late and We Have Already Fallen Victim to this Scam?

First, don’t panic; panicking will not help the situation. Here are a few tips to get you through it:

  • Find the facts – whose information and what specific data was compromised
  • Contact the IRS to let them know about the data breach; they will put individuals on alert and scrutinize tax returns filed on their behalf prior to processing any returns.
  • Offer Identity Theft Protection services to employees at no cost to them through vendors, such as LifeLock or Kroll.
  • Communicate, communicate, communicate.
    • Let employees know about the breach and what you are doing to ensure it does not occur again.
    • Provide employees with information about steps they can to take to prevent fraudulent tax filings.
    • Encourage your employees to immediately submit IRS Form 14039, Identity Theft Affidavit to the IRS.

Cybercriminals are becoming more and more sophisticated and making it really easy for people to fall victim to their scams.  Being proactive is the best thing you can do.  Implement policies, practices, and checks and balances to prevent something like this from happening in your company on your watch.