Every January 31, employers who are scrambling to meet the deadline for mailing W-2 forms to their employees have discovered that scammers are trolling for that very information.

This year, a new iteration of an old W-2 phishing scam has surfaced. In the 2017 version, scammers posing as a company’s CEO or other high-level executive target human resources (HR) and payroll professionals with email messages requesting certain W-2s or all of a company’s W-2s.

The email messages appear authentic and the associated email address actually looks like the email address of an executive authorized to receive such information. Hitting reply and attaching W-2s, however, sends the requested W-2s directly to the scammer, who then can use the W-2s themselves and all of the information they contain in a myriad of nefarious ways.

This scam and others like it became so popular in 2016 that the Internal Revenue Service (IRS) alerted payroll and HR professionals to be aware of the threat. At that point, the IRS noted that, “Criminals using personal information stolen elsewhere seek to monetize data, including by filing fraudulent tax returns for refunds.” Unfortunately, the IRS’s notice and last year’s incidents of the scam have not prevented its recurrence, and similar spoofing email messages are rampant again this tax season.

To protect your company from the liabilities associated with these scams, the business disruption caused by testing the efficacy of your data breach response plan (your company has one, right?), and the hit to employee productivity that such events cause, employers should consider promptly taking some of the following steps:

  • Share this article – or at least the basic factual information – with all employees who have access to personally identifiable information (PII) so they know about the scam and can avoid becoming the next victim.
  • Ensure that all employees who have the ability to send PII by email refrain from replying to email messages seeking PII. Instead, require that they always draft new email messages in which they personally type the email addresses of the recipients or pull the recipients’ email addresses from their own contacts.
  • Limit transmission of PII to encrypted email messages, and communicate the encryption code by a method other than email.
  • Require that transmission of PII occur only after two employees have evaluated the request and confirmed the request’s authenticity and appropriateness.
  • Train employees so that they are familiar with the steps they can take to determine not only the published name of the sender but also the sender’s actual email address.
  • Ensure that your company constrains authorization to access PII with effective technical, physical, and logistical barriers.

Be prepared to take the following steps if you encounter this scam or any data breach:

  • Ensure that you respond as legally required within the applicable time frames.
  • Thoroughly investigate and document the incident.
  • Promptly remedy the circumstances that led to your breach. Implement protective, multi-disciplinary, physical, logistical, and policy/process controls to prevent further disclosures and mitigate future risk.
  • Provide law enforcement with required notices.
  • Provide legally required notices to any individuals whose PII was disclosed.
  • Provide identity-theft protection to affected individuals.

****

Dani Vanderzanden, author of this article, is a Shareholder in the Boston office of Ogletree Deakins and is Co-Chair of the firm’s Data Privacy practice group. She devotes a large portion of her practice to helping employers to reduce their potential for liability to their employees and third parties regarding issues of the type mentioned in this article. She is CIPP/US certified by the International Association of Privacy Professionals and provides advice regarding cybersecurity and privacy matters, including applicable state, federal and multi-national privacy and information security requirements.  In 2015, the National Law Journal selected Dani for inclusion on its inaugural list of “Cybersecurity & Data Privacy Trailblazers.”  This article was originally posted on the Ogletree website.