Kindly send me the individual 2016 W-2s (PDF) and earnings summaries for all of our company staff for a quick review. This request is time-sensitive and confidential. I really appreciate your cooperation.
Whether you’re often in communication with the upper execs at your company or not, the above request would sure get your heart pumping. That’s because you’re a conscientious employee who’s always ready to help.
But take caution: just as sure as you want to aid in properly handling your company’s tax filing, cybercriminals hope to exploit that eagerness. And they do, every year, prompting the IRS to disseminate advisories and PSAs. One specific fraudster tactic that continues to claim its proverbial pound has seen astronomical increase. Phishing attacks on U.S. taxpayers have skyrocketed some 400% in recent years, and there’s good reason why.
Following age-old “bait and hook” tactics, tax season’s phishing emails often lure potential victims with phony communications, generally from purported company executives or IRS reps. Accurate company and employee data pulled from online searches and social media profiles lends credence to scammer requests. Preying on employees’ readiness to quickly comply and assist, cybercrooks use vague subject lines—e.g. “Urgent,” “Transfer” or “Request”—to pique interest. Once opened, email contents quickly work on victims’ sense of duty, and suspicion takes a backseat.
Some common email topics that should set off an alarm bell:
- Information regarding a tax refund
- Warnings about unreported or under-reported income
- Offers to assist in filing for a refund
- Links to counterfeit e-file websites
- Requests for personally identifiable information (PII) to be sent via email or entered online
Kudos if you recognize an email to be a scam—they’re often hard to spot. Yet even your eagle eyes and intuition may not be a match for the cybercriminal’s determination. At times, merely opening their fraudulent message launches malware or malicious attachments that infiltrate your system and steal valuable data. The threat holds true whether email is opened from a work-related or a personal account; if it’s within the company’s network, you could be putting mega amounts of sensitive data at risk.
The cautionary tales of companies who’ve fallen victim to W-2 phishing are sobering—there’s a lot to lose. Stolen PII is a hot commodity in underground markets, and one that doesn’t lose value. In fact, harvested data can be used to stage future attacks. And as IRS agent Phyllis explains, falling victim to a tax-related scam can result in dizzying real-world financial losses.