Legal Alert

Avoid Taking the Bait of W-2 Phishing Schemes

March 6, 2019

As tax season winds on, the W-2 form scam has emerged as one of the most dangerous and common phishing email schemes during this time of year.

W-2s are information-rich documents containing an employee's name, Social Security number, address, salary, and other personal information. Each year, cyber criminals target these documents in order to sell the sensitive information contained therein and to submit fraudulent tax returns in hopes of defrauding the IRS.

During the 2018 tax season, cyber criminals exposed upwards of 1.4 billion records. In the past few years, the IRS has confirmed that 3 million tax returns were fraudulently filed in the amount of $20 billion. Although the IRS identified and eliminated most of the fraudulent returns, cyber criminals still obtained upwards of $1.6 billion in 2017.

There are many methods by which cyber criminals attempt to obtain W-2 information. The most common, however, is a phishing scheme targeting a company's human resources or payroll department. Most often, cyber criminals "spoof" the CEO's email address and request a copy of all employee W-2s via email. Spoofing is the forgery of an email header so that the email appears to have actually originated from the CEO. Upon closer inspection of the actual email address, it proves to be fraudulent.

Employers' first line of defense is to educate employees with access or privilege to this data that they are a target of these phishing schemes. Increased skepticism and avoidance of these ploys can save employers substantial time and money. Thwarting these phishing schemes will also save your employees the headache of having their returns rejected. A rejected return would necessitate employees file by paper and, in certain circumstances, verify their identity in person at a local IRS location.

If an employee does fall for a W-2 scheme, employers shouldn't panic. The incident response team at Ballard Spahr is extremely versed in W-2 schemes and can assist you in mitigating the incident in a timely manner. Ballard Spahr’s incident response team provides 24/7 incident response services and can be contacted at 1-800-864-8266.

Members of Ballard Spahr's Privacy and Data Security Group regularly assist clients with cyber incident planning and response, crisis management, investigations, and litigation. Our cyber incident response team assists organizations of all sizes in preparing for and responding to cyber incidents, and the investigations and litigation that often follow.

Copyright © 2019 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

Subscribe to Ballard Spahr Mailing Lists

Get the latest significant legal alerts, news, webinars, and insights that affect your industry.