“This scam is one of the most powerful and potentially damaging scams we have seen due to how scammers are getting information and the sensitivity of the information they are targeting,” said Melanie Duquesnel,
Tax fraud and identity theft are no longer two separate crimes. Your personal information — and your employees’ — could be breached through tax information. Phishing scams are a big, well-organized business and, this year, they’re coming after your employees.
The IRS issued a warning this January about an email scam sweeping companies across the country. “Email spoofing” isn’t new, but this year’s are expanding to school districts and nonprofits.
How it works
A fake email will be sent to a company’s payroll or human resources department. It will appear to come from a person of authority within the organization. The email typically asks for W-2 forms, an earnings summary of all W-2 employees, or an updated list of employees with their personal details including Social Security Number, home address, and salary.
“This scam is one of the most powerful and potentially damaging scams we have seen due to how scammers are getting information and the sensitivity of the information they are targeting,” said Melanie Duquesnel, President and CEO of Better Business Bureau Serving Eastern Michigan and the Upper Peninsula. “Busy payroll staff and other employees could easily see these as routine emails around tax time and can unwittingly provide criminals with large amounts of personal information – much more than they could get in a credit card scheme.”
It’s hitting close to home. In January, a payroll manager at Indiana-based Scotty’s Brewhouse’s was tricked into sending 4,000 employee tax forms. Weidenhammer, a technology consulting firm with offices across the country (including Michigan) reported a breach in early March when a well-meaning employee provided W-2 tax information for all 180 employees.
What you can do
Clearly, this year’s email spoofing is widespread and hard to detect. There are measures you can take to make sure your employees’ information remains secure:
Educate your employees
- Make sure everyone in your organization knows what’s happening this year. Many people only think credit cards can be breached. They may not even realize tax refund identity fraud exists, much less how easily it can occur.
- Establish protocols for information requests. Require direct follow-up with the person making the request before it is fulfilled.
- Encourage frequent shredding of sensitive documents. Or better yet, only use secure software or online programs to protect sensitive data.
Secure your office
- Implement a password manager system and make sure everyone uses it. Weak or repetitive passwords are often the gateway for online hackers.
- “Layer” your security, especially when using cloud-based systems. There is no one size fits all and achieving complete security is a moving target. Your IT partner can help you build a layered tool kit of security — firewalls, intrusion detection, encryption, etc. — that keeps you ahead of online thieves.
- Activate anti-virus software. This will not only detect threats, but also notify you should a breach occur.
While human error is typically to blame for this year’s incidents, your best line of defense is to secure every level of your business. “This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme,” IRS Commissioner John Koskinen told Forbes.
Protect your employees this tax season. To implement cybersecurity protocol and employee training at your SE Michigan business, contact Dan Heimler, Sales Director at UTEC or call (734) 434-5900.