United States: A New Tax Season, But The Same W-2 Spear Phishing Scam – January 23, 2018

With a new tax season approaching, companies should be vigilant in guarding against criminals attempting to obtain sensitive information through a variety of scams. Last month, the IRS issued an alert warning consumers of an email scam targeting Hotmail users that purported to be a request from the IRS for sensitive information. Although this scam targeted consumers individually, the bigger prize comes from targeting organizations. According to the IRS, the number of businesses, public schools, universities, tribal governments and nonprofits victimized by W-2 scams increased to 200 in 2017 from 50 in 2016. Those 200 victims translated into several hundred thousand employees whose sensitive data was stolen. In some cases, the criminals requested both the W-2 information and a wire transfer. Once the scammers obtain copies of W-2s, they can move quickly to file fraudulent tax returns that could mirror the actual income received by employees – making the fraud more difficult to detect.

What to Look For

The W-2 scams often begin with a "spoofing" email that appears to be sent by a company's CEO or CFO to one or more employees in human resources and payroll, or an executive assistant. Some cybercriminals specifically target these emails at times when the executive may be traveling, the business may be urgently preparing tax statements or other periods when an employee is more likely to be caught off guard. Cybercriminals attempt to trick the employees into disclosing employee names, Social Security numbers (SSNs) and income information. The criminals then attempt to file fraudulent tax returns for tax refunds. Here is an example:

The email appears to be a completely legitimate request from a legitimate email address, but in reality, the email is from someone entirely different and has the "REPLY TO" field (which is typically hidden from the end user) set to an email address controlled by the criminal; for example, ceo@mail.com. The email headers would show this. Other variations on the content of the W-2 scam requests can be found in the IRS' alert on the topic issued Jan. 25, 2017.

We expect W-2 scams to continue to rise because of (1) the success attackers had in the past several years; (2) the increase in activity year over year; (3) the time and effort it takes to send targeted emails to employees across industries, which are significantly less than the effort it takes to infiltrate a network; and (4) the low cost to enter the market as an entry-level criminal conducting W-2 scams. The IRS will likely issue further alerts as the tax season gets underway.

Proactive Measures

In order to prepare for the upcoming tax season, companies can focus on some of the following best practices:

  • Re-educate all employees about phishing in general and spear phishing in particular.
  • Never take an email from an ostensibly familiar source at face value; for example, an email from the CEO or an HR executive. If it asks you to open a link or attachment, think twice.
  • If an email contains a link, hover your cursor over the link to see the web address (URL) destination. If it's not a URL you recognize or if it's an abbreviated URL, don't open it.
  • Consider a verbal confirmation by phone during tax season if you receive an email requesting copies of W-2s.
  • Be cautious of verification via instant messaging (IM), as an attacker with access to an email account may also have access to IM.

Bottom line, payroll officials should double-check any executive-level or unusual requests for copies of W-2s. You can review a compilation of IRS alerts as well as further information on how to avoid tax fraud in general on the IRS' website.

How to Respond to W-2 Phishing Scams

In the event that your organization experiences a W-2 phishing scam, consider the following in responding to potential incidents.

  • Retain competent counsel that has experience with W-2 incidents. In addition to notification services, counsel will assist with providing notice to the IRS and to state taxing authorities. The IRS has indicated that once they are notified, they will monitor affected employees' returns to attempt to prevent fraudulent tax refunds from being paid.
  • Be prepared to investigate the nature and scope of the incident, with focus on ensuring that the perpetrators are not still present in your systems. In most cases involving a phishing scam where a payroll employee inadvertently emails W-2s to the scammer, a forensic investigation will likely not be required, as the scammers never gain access to the system. Additionally, confirm whether the W-2s included the full SSN (as opposed to only the last four digits). The latter may not require formal notification to employees under state data breach notice laws.
  • Pay prompt attention to providing accurate notifications to employees. Determine whether notification to individuals and state agencies is required under applicable state data breach notification laws. Even in incidents that do not require forensic investigation, time is required to draft notification letters, arrange for credit monitoring and engage a vendor to handle mailing notices. State laws require notification to be made as expeditiously as possible, with some states requiring notice within 30 to 45 days. Regulators can be expected to question delays in W-2 incidents, compared with other incidents where a forensic investigation is necessary to determine the scope of affected individuals.
  • Be mindful of communications with employees, and discuss all communications with competent counsel before sending them. Your communication with current and former employees may have consequences down the road should a regulatory inquiry or litigation arise. In particular, W-2 incidents frequently affect former employees who may have left the company on less-than-favorable terms.
  • A growing number of cases have found standing for employees to sue for damages in data security incidents. See, e.g., Galaria v. Nationwide Mut. Ins. Co., 663 F. App'x 384, 388 (6th Cir. 2016). Other more recent cases have recognized that the purchase of credit monitoring services and certain out-of-pocket costs associated with fraudulent activity following the theft of personally identifiable information can constitute cognizable injuries from W-2 phishing scams. In Savidge v. Pharm-Save, Inc., No. 3:17-CV-00186, 2017 WL 5986972 (W.D. Ky. Dec. 1, 2017), two former Pharm-Save employees brought a class action following a W-2 phishing scam. The company moved to dismiss the case, arguing, in part, that the former employees could only show speculative injury that was not causally related to the phishing incident and thus failed to state a plausible claim for relief. In denying the company's motion, the court found the "purchase of credit monitoring and/or identity protection services, along with [plaintiff]'s expenses associated with the fraudulent tax return filed in her name, were incurred reasonably, rather than in response to injuries that were overly speculative." Id. at *6. Although the court noted that the mere filing of a fraudulent tax return by itself is not a cognizable injury, according to the court, "the fact that cybercriminals have already misused [the plaintiff's] information may suggest that [the] purchase of identity protection services, with the knowledge that her information had already been misused, was reasonable and necessary." Id. at *4, *7.

    In addressing the causation element of the negligence claim, the court in Pharm-Save explained that, in general, "to prove that a data breach caused identity theft, the pleadings must include allegations of a nexus between the two instances beyond allegations of time and sequence." Id. at *7 (quotation marks omitted) (quoting Resnick v. AvMed, c., 693 F.3d 1317, 1326 [11th Cir. 2012]). Pharm-Save, the court found there was a sufficient nexus between the alleged injury and the incident because the company "specifically told the affected individuals that the breach 'involved the information provided on [their] W-2' and '[i]t is possible that the criminal(s) may have filed or try to file fraudulent tax refunds in the names of our employees.'" Pharm-Save, 2017 WL 5986972, at *7 (quoting the plaintiffs' complaint).

  • Credit monitoring is often offered for W-2 incidents in which employees' SSNs are impacted. Indeed, some states require that companies offer one year of complimentary credit monitoring when individuals' SSNs were impacted, and at least one state regulator routinely requests that two years of coverage be extended to its residents. Companies will want to discuss with their counsel the amount of credit monitoring coverage required for their employees and should consult with their carrier regarding the amount of credit monitoring that is covered by their policy. Additionally, because your company's internal HR and customer support staff are likely impacted by this incident, it may be helpful to have an outside call center answering questions. The notification vendor can typically set up a call center for you as well.
  • Competent counsel will be aware of regulatory reporting obligations following a W-2 incident. For instance, as of July 1, 2017, Virginia requires notification to its attorney general if an employer or payroll service provider has an incident involving computerized data relating to state income tax, i.e., "a taxpayer identification number in combination with the income tax withheld." The notification must include the name and federal employer identification number of the company, which the attorney general will use to notify the state tax department. See Code of Virginia § 18.2-186.6(M).
  • The IRS recommends various steps employees should take if they suspect they are a victim of tax-related identity theft, including the filing of a fraudulent return:

    • Respond immediately to any IRS notice; call the number provided or, if instructed, go to IDVerify.irs.gov.
    • Complete IRS Form 14039, Identity Theft Affidavit, if your e-filed return is rejected because of a duplicate filing under your SSN or you are instructed to do so. Use a fillable form at IRS.gov, print, then attach the form to your return and mail according to instructions.
    • Continue to pay your taxes and file your tax return, even if you must do so on paper.

2018 BakerHostetler Data Security Incident Response Report

Our annual data security incident response report, which provides an in-depth look at cybersecurity trends, will be released soon. Get your complimentary copy by signing up for our mailing list.

For data privacy updates and commentary, be sure to subscribe to BakerHostetler's Data Privacy Monitor blog. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions