W-2 phishing season is just a few weeks away.  For the past several tax seasons, cyber criminals have duped hundreds of payroll departments into providing W-2 information on their employees, which results in the filing of fraudulent tax returns and other identity theft issues.  These attacks are incredibly disruptive to employees, extremely expensive for employers and are completely avoidable with some training. 

The typical W-2 phishing email purports to be from a high-level executive and asks the payroll employee to provide W-2 or other tax-related information either by replying to the phishing email or by sending the information to another email address.  In many instances, the request for the information appears to be urgent, which forces the employee to act quickly.  These messages can be very convincing.  The emails often contain the actual signature block of the executive or a different indicator that makes the employee believe that the email is authentic.

Employees should be trained to examine emails carefully for signs of phishing and to think twice before sending any sensitive information.  Some tell-tale signs can include an unfamiliar email address (e.g. president@ceo.gmail.com instead of the president’s actual email address: dsmith@abc.com) or the use of odd or overly formal language.  Companies should also implement a policy that either no W-2 information will be requested via email or require that employees verify any email request for W-2 information regardless of the apparent urgency in the message.  Verification could include contacting the sender via telephone or by starting a new email thread to confirm the validity of the request.  Finally, any such sensitive information that is emailed in response to a verified request should be sent through a new message created by the sender to ensure that the appropriate recipient receives the message (i.e., do not reply to the emailed request).

The IRS has instructed organizations receiving W-2 scam emails to forward them to phishing@irs.gov and indicate “W2 Scam” in the subject line and also to file a complaint with the FBI’s Internet Crime Complaint Center (IC3) at https://www.ic3.gov/default.aspx.

In the unfortunate event that your company falls prey to a W-2 or other phishing attack, you should contact legal counsel immediately to assist in implementing strategies to minimize damage and to determine legal obligations.  Immediate action is the key to minimizing damage in W-2 phishing attacks as well as all other data breach situations.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Daniel J. Kagan Daniel J. Kagan

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and…

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and reimbursement issues.

With regard to Privacy and Cybersecurity, Dan has experience drafting privacy policies and notices, website terms of use, written information security plans and incident response plans.  Dan counsels clients on compliance issues related to state, federal and international privacy laws including the General Data Protection Regulation (GDPR).  Dan also has experience representing both health care and non-health care clients that have suffered data breaches and assists such clients with breach response and applicable reporting obligations.  Dan writes extensively on privacy and cybersecurity issues and is a co-editor of Murtha’s Privacy and Cybersecurity Perspectives blog.

As a member of the Health Care and Long Term Care groups, Dan has experience representing clients with HIPAA compliance, Stark and anti-kickback analyses, purchase and sale transactions, reviewing and drafting contracts, certificate of need requirements, rate appeals, Medicare and Medicaid audits, medical staff and credentialing matters, licensing and change of ownership proceedings.

Prior to joining Murtha Cullina, Dan clerked for the Honorable Lubbie Harper, Jr. and the Honorable Joseph H. Pellegrino of the Connecticut Appellate Court.

Dan received his J.D. with honors from the University of Connecticut School of Law where he was a Notes and Comments Editor for the Connecticut Insurance Law Journal. He earned his Bachelor of Arts in Economics from McGill University.