[BreachExchange] Building a digital defense against W-2 theft

Audrey McNeil audrey at riskbasedsecurity.com
Mon Mar 19 21:18:35 EDT 2018


https://www.thechronicleonline.com/news/building-a-digital-defense-
against-w--theft/article_e2f7ae8c-275b-11e8-8c00-7f4757406b9d.html

This week, Oregon FBI’s Tech Tuesday segment focused on building a digital
defense against W-2 fraud.

We are still a good month away from April’s tax filing deadline -- but this
is prime time for scam artists looking to cash in on your personal tax
information. The FBI’s Internet Crime Complaint Center recently issued an
updated warning for businesses and employees to be on the watch for W-2
theft. If a cyber thief gets ahold of your W-2, he now has the ability to
file your tax return -- and get your refund -- before you do. He also has
access to a great deal of personally identifiable information including
your Social Security number... and that can lead to a whole host of other
frauds.

The most common way a scam artist gets your W-2 is through a phishing
scheme -- that’s phishing with a “ph”. He pretends to be an executive at
the company and sends an email to the HR department requesting employees’
personal information or their W-2’s, allegedly for tax or audit purposes.
In some cases, the fraudsters have been able to cause a massive data dump
affecting thousands of employees.

Sometimes these requests for data are followed by or combined with a more
traditional business-email-compromise scheme where the fraudster convinces
the finance department to also make unauthorized wire transfers under the
executive’s spoofed authority.

Here are some basic steps that businesses can take to mitigate the threat:

* Limit the number of people who have access to employees’ personal info
and W-2’s.

* Set up two-factor verification systems to confirm the request and receipt
of such sensitive information. This could be as simple as a phone call or a
face-to-face meeting.

* Establish protocols for sensitive information requests ahead of time and
outside of the email environment. You don’t want a hacker who already has
access to your system to know what your back-up security measures include.

* Ensure that you secure sensitive PII and W-2 information with encryption.

* Establish and maintain robust and strong security for your data,
including firewalls, virus protection and spam filters.

Businesses that have suffered a data breach involving tax information
should immediately report that breach to the IRS and your state tax agency.
The IRS also wants to hear from you if you received a W-2 phishing email
but did not fall victim to the scam.

If you have been victimized by this online scam or other cyber fraud, be
sure to also report it to the FBI’s Internet Crime Complaint Center at
www.ic3.gov or call your local FBI office.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180319/14fb01c9/attachment.html>


More information about the BreachExchange mailing list