By Jennifer Archie and Alex Stout
Tax-related identity theft is nothing new, but tax season 2016 took tax schemes to a new level.
Last year, our cyber experts advised a large cluster of clients (public and private companies) over a period of only two weeks, following a nationwide explosion of deviously simple attacks—mostly targeted at mid-size companies—that followed the same fact pattern: the Director of Human Resources or Chief Financial Officer received an email appearing to come from a senior executive (normally the CEO) asking for copies of all of the company’s W-2 tax forms; the recipient was fooled by the email and sent the requested records to the attacker; and hours or days later, the company came to the sickening realization that hundreds, if not thousands, of personnel records were compromised. Even worse, the stolen information was rapidly exploited in fraudulent tax return filings, diverting expected tax refunds to the scammers, and saddling often the most senior (highly compensated) company employees with a huge headache of sorting out their personal finances and tax return status with the IRS.
These tax refund thefts attacks are highly automated, quick, easy, and inexpensive to initiate, and last year fraudsters blanketed businesses with record volumes of attacks. As simple as the attacks are, it can be a difficult and painful process to protect your employees in the aftermath.