By Jennifer Archie and Alex Stout

Tax-related identity theft is nothing new, but tax season 2016 took tax schemes to a new level.

Last year, our cyber experts advised a large cluster of clients (public and private companies) over a period of only two weeks, following a nationwide explosion of deviously simple attacks—mostly targeted at mid-size companies—that followed the same fact pattern:  the Director of Human Resources or Chief Financial Officer received an email appearing to come from a senior executive (normally the CEO) asking for copies of all of the company’s W-2 tax forms; the recipient was fooled by the email and sent the requested records to the attacker; and hours or days later, the company came to the sickening realization that hundreds, if not thousands, of personnel records were compromised. Even worse, the stolen information was rapidly exploited in fraudulent tax return filings, diverting expected tax refunds to the scammers, and saddling often the most senior (highly compensated) company employees with a huge headache of sorting out their personal finances and tax return status with the IRS.

These tax refund thefts attacks are highly automated, quick, easy, and inexpensive to initiate, and last year fraudsters blanketed businesses with record volumes of attacks. As simple as the attacks are, it can be a difficult and painful process to protect your employees in the aftermath.

The good news? You can very easily prevent this scenario from unfolding at your company:

  • Send your employees – especially in the HR, payroll and finance functions — an urgent reminder that no one will ever ask them to email W-2s, particularly in bulk. And by all means, be sure that is the case. Sensitive documents like these should never be emailed, unless doing so is explicitly authorized by company policies and secure protocols are followed.
  • If your employees receive a request for access to (other) employees’ W-2 forms or tax data, they should call (or better yet, speak in person with) the requestor and also a supervisor to validate the origin and purpose of the request before taking any further action. (Another option is to require any such request to be digitally signed by appropriate personnel.) Ask first, not after sending! Even then, there is almost certainly a better way to answer a legitimate business question than sharing this sensitive employee data via email or otherwise.
  • Take action now to limit who has access to tax and payroll information to begin with. While many times these attacks target individuals with legitimate access to employee records (like the Director of Human Resources), reducing the number of people who have access to this data exponentially reduces the risk that it will be improperly shared.
  • Institute firm encryption policies that require human resources data (and other sensitive information) to be securely encrypted when in transit, without exception. Also remember that passwords must be sent separately (unfortunately, we witnessed a few occasions where companies did the right thing and encrypted their data, only to then share the password with the attacker).
  • Acquire software that alerts employees when they are sending an attachment to someone outside the company. Some programs can scan and block outbound email that includes attachments with sensitive information like Social Security numbers. Using these tools can help to prevent accidents.

If you think that your company has already been a victim of one of these attacks:

  • Speed is of the essence! Begin working to identify which of your employees may have been affected. Last year we routinely saw timeframes of less than 24 hours between the attack and the filing of the first fraudulent tax returns (stealing large refunds, in some cases). Your employees can take steps to protect themselves with the IRS, but only if they are given the proper notice.
  • Don’t go it alone. State data breach laws are confusing, often requiring you to share information in one state, while forbidding the same sharing in another. Short timelines and high stress can compound the problem for your company (and its employees), while attracting unwanted attention from state regulators. Call your data security counsel immediately.
  • Gather your company’s insurance policies. Your data privacy counsel may recommend that you notify your employees and procure for each of them identity theft monitoring and prevention services. While coverage for this sort of “attack” will vary, notices and services may be covered by your company’s liability insurance and it helps to know the terms and limits of your policies.