Tax returns and W-2s are information rich documents. Among other things they contain the name and Social Security Number of an employee, as well as information concerning their salary and address, and personal behavior and characteristics (e.g., the charities that they support, their sources of income, their investments, and their relationships with financial institutions). Because of the type of data that they hold, each year cyber-attackers target these documents. If an attacker is successful at obtaining a tax return or a W-2, the attacker may attempt to sell the sensitive information contained in the file, may attempt to use tax-related documents (e.g., an employee’s W-2) to submit a fraudulent income tax return in the hope of obtaining a refund owed to an employee, or both.
There are many methods by which attackers attempt to obtain tax related information. The most visible have been attempts to hack the Internal Revenue Service itself; unfortunately several of those attempts have been successful and have led to the loss of information about hundreds of thousands of tax payers.1 Other attackers attempt to obtain tax documents from accountants or tax preparers, or from employers. For example, in 2016 IRS Commissioner Kohn Koskinen highlighted spear phishing attempts against human resource departments: “This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments . . . If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”2 The following provides a snapshot of information regarding tax filing fraud.
The number of phishing scams for W2’s reported to the IRS in January of 2016.3
The percentage increase in reported phishing attempts between January 2015 and January 2016.4
Employers should consider taking the following steps to help prevent a data breach of your employee tax records:
- If you receive a request from an executive to email large quantities of employee information, verify that request by telephone with the executive before responding.
- If you don’t know the executive personally (e.g., would not recognize his voice), make sure that when you verify the request you use an internal telephone number or find their telephone number in an internal directory (i.e., don’t trust any telephone numbers within an email).
- If the request appears legitimate, consider transmitting the data using a secure connection (e.g., a SFTP site) and not by email.
- If you need to transmit tax information by regular email, encrypt the document that contains the information before sending it. If you company does not have separate encryption software, most versions of Microsoft Word and Adobe Acrobat provide for native encryption.
- Never use a formulaic or easy-to-guess password for an encrypted file (e.g. employee's last name).
- Do not publicly post any information that your employees may need to access their tax related information online. For example, if your payroll processor provides you with a business or company ID or code, that information should not be published on the internet as it typically forms a component of the layered security designed to protect tax information.
- Track the rate of tax related fraud reported to your Human Resource department each year. If the quantity of tax reported fraud is significantly greater this year than it was in previous years, consider investigating whether your data may have been breached.
- If you have fallen victim to email phishing, talk to your outside counsel about notification requirements and whether it makes sense to provide employees with credit monitoring services.
- If you discover that your employees’ data was breached consider whether to notify the Internal Revenue Service and/or state revenue services, in addition to any government agencies that you may be required to notify (e.g., a state attorney general).
- Even if you have not had a breach, be prepared to answer questions from employees who have experienced tax related identity theft. Statistically many of your employees will experience identity theft this year and while the source of the information loss is probably not your company, or your vendors, your employees may assume that your system has been breached because the information used by the attacker to perpetrate fraud contained employee-related facts.