You’ve probably heard in the news in recent months (see here, and here, and here…) about W-2 phishing scams specifically targeting payroll professionals, human resources executives, and even CEOs. First, know that “phishing” attacks are malicious internet links that masquerade as legitimate inquiries, websites, or forms. After compromising information from literally thousands of W-2s this year alone, these phishing scams should be one of your top concerns during tax season and year-round.
Abacus Payroll explains a basic breakdown of what a phishing scam can do, how to recognize and prevent one, and what to do if the worst-case scenario occurs.
The Attack Strategy
The W-2 phishing scam in question starts by sending a seemingly innocuous email from what appears to be a high-level executive. The email requests employee W-2 records with updated information. Since the emails started out by targeting payroll and HR companies with access to vast numbers of employees’ data, the hackers rendered thousands of W-2s vulnerable from just one attack.
It’s worth noting that the W-2 phishing scam has since moved on to attack schools and non-profits, meaning a W-2 request link could feasibly come from just about any source (e.g., a principal or a district coordinator rather than a CEO).
Repercussions of the attacks include loss of (and possible exposure to) employees’ personal data (e.g., social security numbers, home addresses, etc.) paired with fraudulent tax returns associated with the compromised account. As embarrassing as falling victim may be, it’s imperative that you report an attack as soon as possible so the IRS can effectively head off and reverse the scam before it causes any major damage.
Preventing Phishing Attacks
Remind your employees that the IRS will never call or email when it comes to W-2 information collection. Similarly, tell them that employees seeking replacement W-2s will have to pick them up in person—staying away from the electronic medium where possible is a good way to cut down on your firm’s exposure to phishing attacks.
In fact, establishing a no-email policy when it comes to W-2 data is perhaps the best way to ensure that employees won’t click on suspicious links. If you tell your employees that you will never—not even once—ask them for W-2 information via email, you remove the majority of doubt from the equation. That way, even if employees do receive an email from “you” (or another high-level employer at your firm), they’ll know it’s a fraud and report it as such.
You should also encourage your employees to contact you to double-check any emails requesting W-2 information or similar data. Even if you have a preventative plan like the above in place, this secondary process will ensure that even the employees who are too skittish to refuse to respond to an email will verify with you before moving forward.
Finally, it’s prudent to note that malicious attacks intent on stealing and appropriating employee identity data aren’t new. If you successfully nail down a plan to stop phishing scams, you can expect a different—and, thereby, more dangerous—scam to come your way; it’s only a matter of time. To minimize the possibility of employee information loss, make sure W-2 information stays stored on a secure, local server to which employees only have local access.
It’s likely that you’ll get pretty cozy with your IT department during these processes. Don’t worry—they don’t bite.
Dealing with a Phishing Attack
The best way to prevent your firm from falling victim to a phishing attack is to establish strict guidelines for internal communications and technology use. Such guidelines might include some of the following steps:
- Verify all internal links or communications
- Create a step-by-step plan for submitting W-2s that allows for no deviation
- Only use employee accounts and email addresses at work on work computers and/or mobile devices
- Sign out of employee accounts at the end of the day; additionally, clear history and cookies daily
You should also consider holding regular seminars on identifying and avoiding phishing scams. Having occasional tests or audits to weed out susceptible employees isn’t a bad idea, either—give your employees some practice to apply to the real-world equivalent.
With that in mind, phishing attacks continue to evolve; no amount of training or prophylactic measures will prevent 100 percent of phishing scams, and so you must prepare for the worst so you can deal with the fallout in as quick and efficient a manner as possible.
The first thing you need to do when compromised by a phishing attack is alert your employees—the quicker you can get the word out, the better—and provide them with a preliminary preventative plan (in most cases, this will entail refraining from clicking any links, internal or otherwise). Immediately thereafter, report the phishing attack to the appropriate agency (e.g., your payroll processing company of choice). You’ll need to provide them with your business name and the details of the attack.
As far as your employees go, their next actions will depend on the nature of the attack, but you can expect to enforce a total halt of internal electronic communications and W-2 submissions until you can resolve the situation. A briefing regarding the attack and your next steps as a company will put everyone on the same page and prevent the phishing scam from affecting anyone else.
After you report the scam, all you can do is wait for the IRS to finish their extensive review of the affected W-2s. They’ll take care of any suspicious refunds or the like.
At Abacus Payroll, we understand that mistakes happen; no system is completely safe from a well-disguised phishing attack. And identity thieves will only get sneakier and more creative. We are committed to the safety of our clients’ sensitive data, so for more tips on how you can keep your employees’ records safe, call us at (856) 667-6225.