©studiogstock/ISTOCK/THINKSTOCK
It’s tax season again, which means phishing season is officially open. Suspicious emails from slightly misspelled banking institutions may seem like old hat, but the scams have persisted and evolved into ever more sophisticated schemes to trick the unwary, and the best-paying scams may be those targeting data to falsify tax returns. During tax season last year, the IRS warned of a 400 percent increase in phishing and malware attacks, which contributed to an estimated $21 billion of taxpayer money lost to fraudulent tax returns, up from about $6.5 billion lost in 2014. The scams are easy and involve little up-front investment: the criminal doesn’t have to be a technically savvy hacker to pull off a successful phishing attack. Any good con artist with an email account can trick the unsuspecting into clicking a malicious link or volunteering information, and W-2 fraud requires precious little data to pull off.
Just last month the IRS and state tax authorities warned of a “second-wave” phishing scam targeting employee payroll data that was striking businesses across the country. The scam is similar to one the IRS reported in March of last year. In this type of “spear phishing” or targeted attack, malicious actors will “spoof” an internal company email address—making it appear as if the email is coming from an actual executive or manager—and ask finance, HR, or payroll employees to provide sensitive employee data. “Send me the updated list of 2016 employees with full details (name, Social Security number, date of birth, home address, salary.” These “urgent requests,” timed just right to coincide with tax season, can seem plausible, particularly when the email appears to come from a superior.
The IRS, which has partnered with state tax authorities and the tax industry in an ongoing effort to combat tax-related identity theft known as the Security Summit, has stepped up efforts to authenticate tax preparer identities using multifactor authentication. It is also expanding pilot programs to add verification codes to some taxpayer W-2s. While the IRS hopes to reverse the trends that made 2016 the high-water mark for W-2 fraud, its efforts won’t stop every scammer, particularly those who successfully steal copies of W-2s.
This is where you can step in. Businesses play an important role in combating these phishing schemes and can take simple steps to improve training and data-handling policies that, without decreasing productivity, can reduce the likelihood that their employees will fall prey to phishing:
- Pick up the phone. Requests over email for sensitive data, like employee Social Security numbers, can be verified with a phone call to the supposed sender to confirm that a person inside your organization has actually made the request.
- Turn on external email notifications. Many email platforms can be configured to add visual cues or warning messages to the subject line or body of external emails that only users within your organization can see. These types of notifications alert employees that the email is coming from an external source even if it appears that the email came from within the organization.
- Consider removing the operational titles of your finance, HR, and IT professionals from social media. These employees are among the gatekeepers to sensitive information about your company’s employees, and the best spear phishers will try to decipher likely internal reporting relationships from information posted on social media and the internet, increasing the chances of successful impersonation.
- Don’t click on links or download documents from emails that look suspicious. Everyone should know this. Unfortunately, some of the most successful phishing templates look the most innocuous: password change notifications, shipping confirmations, and download notifications from cloud storage services. Messages asking the user to click a link if they feel they have received the message in error or didn’t sign up for a certain account receive click rates that would make most marketing teams jealous. Browsers can be configured to display the actual URL of a link when a user hovers over it with their cursor, and when in doubt forward the message to your IT professionals as possible fraud or spam.
Last year studies estimated that successful phishing attacks cost victim companies, on average, $1.6 million per incident in response costs, and in at least one study, 15% of public companies reported a drop in stock price due to spear phishing, proving that when it comes to data security an ounce of prevention is indeed worth a pound of cure.
Miriam H. Wugmeister is co-chair of Morrison & Foerster’s Global Privacy and Data Security Group, and partner in the firm's New York office. Robert J. Baehr is an associate in Morrison & Foerster's Litigation Department, and is based in the firm's New York office.