What to do about W-2 Fraud

As noted, the problem is not exclusive to educational organizations—organizations of all sizes and verticals are at risk. However, the precautions are the same for everyone. The good news is that it’s not exactly rocket science.

Here are some basics to better protect your organization, and all its employees:

  • Spread the Word:Before anything else, warn your Accounting and HR teams NOW that there is a strain of CEO Fraud asking for W-2’s. Tell them to watch out for fraudulent emails asking for W-2 information, and to always verify requests of this nature using something other than email (phone, text, an in-person conversation). Warning these teams immediately may prevent a host of problems.
  • Stay Alert:When you get any email about your taxes, or your W-2 from literally anybody, whether you know them or not, pick up the phone and verify with your known, trusted tax professional that it was he or she that sent the email. If you send tax information via email, triple-check that the email address you are sending to is correct, and type it in yourself in the “To” field.
    • NEVER click on “reply” and attach your tax information, because that reply email address might be spoofed. Want to be 100 percent safe? Hand-carry your tax info to your tax professional and do the tax return in person with him or her.
    • If you are unable to hand-carry your information, make sure it is encrypted before sending. Many accountants have such encryption programs in place that allow for a safer relay of confidential information.
  • Educate:Read and circulate this link to the IRS site with more tax scams organizations need to watch for: https://www.irs.gov/uac/tax-scams-consumer-alerts.
  • Sound the Alarms: If you receive a scam, report it. The IRS says organizations receiving a W-2 scam email should forward it to phishing@irs.gov and place “W2 Scam” in the subject line.

While W-2 fraud is in full swing during tax season, similar phishing and social engineering techniques happen all year round. Always ensure you and your colleagues keep a high-level of vigilance by remembering a few basic things: No matter the time of year, if you receive an email that has mis-spellings, grammar mistakes or just sets off your internal alarm, DO NOT respond, forward, or click any link inside the email. Call to confirm who sent it to you, and if this person cannot confirm, immediately engage your IT department.

About the Author:

Stu is the CEO and founder of KnowBe4, a new-school security awareness training company. He is formerly the co-founder of Sunbelt Software, developer of VIPRE Antivirus, which in 2010 was acquired by GFI Software, a portfolio company of the Insight Venture Partners.