News & Insights

3 Tips to Protect Yourself Against W-2 Phishing Scams

Mike Ferris

3 Tips to Protect Yourself Against W-2 Phishing Scams

Tax season is right around the corner, which means W-2 phishing emails and scams are on the rise. In 2017 alone, more than 120,000 employees were exposed to tax fraud and identity theft. WhiteHawk anticipates these phishing emails targeting Individuals, HR and Finance departments to increase over the next few months as hackers attempt to gain access to W-2 tax forms, similar to past years.

Below are 3 tips that WhiteHawk has provided for staying vigilant and reporting W-2 phishing scams.

  1. Monitor your tax records
    • The IRS has a tool to view your tax account, which can be found on their website here. You can register your account and, once logged in, be able to view past tax records as well as newly filed returns. Monitoring this site often will give you the opportunity to take early action against fraudulent tax filings as you will be able to tell if someone has filed in your name (to get your tax refund).

  2. Provide security awareness training
    • Companies such as KnowBe4 and The Security Awareness Company offer security awareness training to small and midsize businesses. The employee is often the first line of defense in protecting company data and personal information. While your IT team may have set up firewalls and email filters to protect them, items still fall through the cracks. Training all employees on how to spot phishing emails properly can save the company from potential issues in the future.

  3. Report the scam
    • The IRS has ways for businesses and payroll service professionals to report if they have lost data to these scams. Even if you reviewed an email but did not lose any data, you can still report them. The ways to report are listed on the IRS website. Incorporating this practice into your Incident Response Workflow (IRW) can help the IRS to investigate the scam while helping you take action if you have lost data.

Cyber criminals are known to utilize social engineering and email spoofing techniques to gain employee Personally Identifiable Information (PII) including social security numbers. Email spoofing and social engineering techniques where someone is tricked into giving access to data because they believe it is someone they know. Many email spoofing campaigns sent either to or from the CEO or President of a company, as most people do not look as closely into an email they believe is from their boss. Suddenly, a hacker may have access to your system and your employees' information. With this data, criminals can file fraudulent tax returns for tax refunds.

Although it is always best to not fall prey to phishing and social engineering attacks, it can happen. It is important to know that there are steps you can take to protect yourself and your employees. If you would like to protect yourself further, contact WhiteHawk Advisory Services to set up a Cyber Risk Profile today.