Your employees' W-2s might not be sexy proprietary secrets, but you need to start treating these documents like you treat your intellectual property. As tax season comes to a close, hackers have already stolen thousands, if not millions, of W-2s from dozens of companies across the U.S.
These targeted phishing attacks are simple; hackers aren't using nasty viruses or infiltrating your network. Instead, hackers use a little social engineering and send what appears to be a regular email from an executive at your company. A hacker will spoof a CEO's or CFO's email address and send a request to an employee in payroll asking for a PDF of all employees' W-2s. The decidedly low-tech method has been duping employees from all types of companies--data storage firm Seagate, social media platform Snapchat, payday lender Moneytree, and even Inc. magazine's parent company.
"This is an epidemic," says Stu Sjouwerman, founder and CEO of security training and awareness company KnowBe4.
Since February, a new batch of companies admit to sending W-2s to criminals each week. There are no concrete numbers from this year yet, but last year the IRS sent 1.5 million Americans who have been victimized by tax fraud a unique PIN to use when filing their taxes. Hackers even managed to steal personal information for 700,000 people directly from the IRS website. In addition to these incidents, hackers have swiped millions of people's personal information from dozens of companies, government agencies, healthcare companies, and hospitals in 2015 and 2016. In 2013 alone, the IRS paid $5.8 billion in fraudulent tax returns.
Special Agent Aaron Gogley, who works for the IRS Criminal Investigation team at the FBI's Houston Cyber Task Force, wouldn't say how many companies have fallen for the scheme, but he says it is a major problem.
"If you look at the email address, it will actually look like it's from the CEO," he says. "These emails are crafted extremely well and even the language in the body of the email will actually sound like how the executive writes emails."
But, how is this happening? Gogley says the success of this type of hack is not only due to how targeted, specific, and well written the phishing emails have become, but also because most companies do not expect to be hacked for employee tax forms.
"For criminals, the W-2 is the crown jewels," Gogley says. "For companies, the W-2 is an overlooked area because most organizations think their crown jewels are their products or trade information. When people think about data loss, most companies don't think about their employees' W-2s as the first thing to protect."
So, how do you protect your company from W-2 phishing emails?
Know your assets
Firstly, Gogley says you need to stop thinking your company has nothing of value and step up your security game. A W-2 contains an employee's name, address, social security number, employer tax identification number, salary and withholdings. Hackers can use this information to file your taxes and steal your return, but they also can use your information for a number of other identity theft-related crimes.
"Many people think they don't have information that is valuable, but your identity is valuable and it needs to be protected," he says.
Encypt email and files
Once you realize you have a bounty of booty sitting in filing cabinets, hard drives, and servers, Gogley says you must protect it.
"You need to adopt encryption as a lifestyle change so you're less vulnerable," he says.
There are dozens types of encryption software, so pick one and encrypt your email, computers, and files.
Patch your email server
Patrick Peterson, founder and CEO of email security firm Agari, says phishing emails are likely to sail through your spam filter because the messages don't contain malware. He says you need to configure your email server to block any external emails that are pretending to be internal emails. (Your IT department will know how to do this.)
"We have not talked to a single company who has not received these phishing emails," Peterson says. "The hackers have leveraged the same tools and networks as we do, which makes them so successful in their social engineering."
Agari has a new service that verifies the identity of every email your company receives and will delete any phishy ones.
Educate and train your staff
You need to tell your employees about these types of phishing schemes and explain how they are to never send W-2s via email. There is no reason to ever put all of your employees' W-2s in a PDF document and send them. Train your staff to stop clicking on links in emails, to think before replying to messages, and to never send personal information belonging to them or fellow employees to anyone.
"This is not a theoretical attack, this is actually happening. This is a threat everyone is facing and you need to take it seriously," Gogley says.