It’s W2 time! You know it, I know it, and criminals know it. Every year dozens of human resource professionals fall victim to phishing schemes. Criminals target HR departments posing as C-level leadership, often with spoofed email addresses that look very similar to the correct email address, requesting a copy of the W2s for all employees. Eager to comply – and possibly flattered by the high-level outreach – unsuspecting employees may be tempted to hand over confidential records with disastrous effects.
No CEO would ever request copies of employees’ W2s.
If the scam is successful …
Assuming an attacker successfully acquires the W2s that they’re after, they will use the data to commit identity theft, fraudulently file tax returns, and route refunds to their bank accounts. When the unsuspecting employees go to file their returns, they are rejected. This is generally the first indication an individual has that there’s an issue with his or her record.
Don’t fall for the scam.
Remind your organization of these tips:
- Pause for a moment. Anytime you receive an email that’s out of the ordinary, pause before clicking on any links, downloading any content, or replying with any sensitive data. ‘Out of the ordinary’ can refer to the sender, the topic, or the request.
- Verify the request. Call the person that appears to have emailed you to verify the legitimacy of the request. If you’re hesitant to call the sender, such as the CEO, that could be an indication that they didn’t email you.
- Report the phish. The sooner your security team is aware that your organization is a target, the sooner they can block and defend against a potential data breach. Make it easy for your employees to report suspicious behavior.
What creative awareness tactics are you using to train your team to defend against cyber threats?